Repository | antonputra / tutorials |
Description | DevOps Tutorials |
Stars | 1629 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:39:34,859 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:19.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,859 [MainThread ] [WARNI] Failed to download module github.com/aws-ia/terraform-aws-eks-blueprints?ref=v4.25.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,859 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.19.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.25.0:2.4.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:4.0.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:19.15.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:4.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,863 [MainThread ] [WARNI] Failed to download module [email protected]:antonputra/terraform-aws-prometheus.git//?ref=v0.0.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,864 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:5.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,864 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,865 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,865 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,865 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.14.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:18.29.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:19.15.3 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 2617, Failed checks: 1131, Skipped checks: 0, Parsing errors: 1
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx
File: /lessons/014/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
13 | resource "aws_security_group" "nginx" {
14 | name = "nginx_access"
15 | vpc_id = local.vpc_id
16 |
17 | ingress {
18 | from_port = 22
19 | to_port = 22
20 | protocol = "tcp"
21 | cidr_blocks = ["0.0.0.0/0"]
22 | }
23 |
24 | ingress {
25 | from_port = 80
26 | to_port = 80
27 | protocol = "tcp"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | egress {
32 | from_port = 0
33 | to_port = 0
34 | protocol = "-1"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nginx
File: /lessons/014/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
13 | resource "aws_security_group" "nginx" {
14 | name = "nginx_access"
15 | vpc_id = local.vpc_id
16 |
17 | ingress {
18 | from_port = 22
19 | to_port = 22
20 | protocol = "tcp"
21 | cidr_blocks = ["0.0.0.0/0"]
22 | }
23 |
24 | ingress {
25 | from_port = 80
26 | to_port = 80
27 | protocol = "tcp"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | egress {
32 | from_port = 0
33 | to_port = 0
34 | protocol = "-1"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.nginx
File: /lessons/014/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
13 | resource "aws_security_group" "nginx" {
14 | name = "nginx_access"
15 | vpc_id = local.vpc_id
16 |
17 | ingress {
18 | from_port = 22
19 | to_port = 22
20 | protocol = "tcp"
21 | cidr_blocks = ["0.0.0.0/0"]
22 | }
23 |
24 | ingress {
25 | from_port = 80
26 | to_port = 80
27 | protocol = "tcp"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | egress {
32 | from_port = 0
33 | to_port = 0
34 | protocol = "-1"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx
File: /lessons/020/main.tf:118-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
118 | resource "aws_security_group" "nginx" {
119 | name = "nginx"
120 | description = "Access for Nginx"
121 | vpc_id = aws_vpc.main.id
122 |
123 | ingress {
124 | description = "Web Access"
125 | from_port = 80
126 | to_port = 80
127 | protocol = "tcp"
128 | cidr_blocks = ["0.0.0.0/0"]
129 | }
130 |
131 | ingress {
132 | description = "SSH Access"
133 | from_port = 22
134 | to_port = 22
135 | protocol = "tcp"
136 | cidr_blocks = ["0.0.0.0/0"]
137 | }
138 |
139 | egress {
140 | from_port = 0
141 | to_port = 0
142 | protocol = "-1"
143 | cidr_blocks = ["0.0.0.0/0"]
144 | }
145 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nginx
File: /lessons/020/main.tf:118-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
118 | resource "aws_security_group" "nginx" {
119 | name = "nginx"
120 | description = "Access for Nginx"
121 | vpc_id = aws_vpc.main.id
122 |
123 | ingress {
124 | description = "Web Access"
125 | from_port = 80
126 | to_port = 80
127 | protocol = "tcp"
128 | cidr_blocks = ["0.0.0.0/0"]
129 | }
130 |
131 | ingress {
132 | description = "SSH Access"
133 | from_port = 22
134 | to_port = 22
135 | protocol = "tcp"
136 | cidr_blocks = ["0.0.0.0/0"]
137 | }
138 |
139 | egress {
140 | from_port = 0
141 | to_port = 0
142 | protocol = "-1"
143 | cidr_blocks = ["0.0.0.0/0"]
144 | }
145 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.nginx
File: /lessons/020/main.tf:118-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
118 | resource "aws_security_group" "nginx" {
119 | name = "nginx"
120 | description = "Access for Nginx"
121 | vpc_id = aws_vpc.main.id
122 |
123 | ingress {
124 | description = "Web Access"
125 | from_port = 80
126 | to_port = 80
127 | protocol = "tcp"
128 | cidr_blocks = ["0.0.0.0/0"]
129 | }
130 |
131 | ingress {
132 | description = "SSH Access"
133 | from_port = 22
134 | to_port = 22
135 | protocol = "tcp"
136 | cidr_blocks = ["0.0.0.0/0"]
137 | }
138 |
139 | egress {
140 | from_port = 0
141 | to_port = 0
142 | protocol = "-1"
143 | cidr_blocks = ["0.0.0.0/0"]
144 | }
145 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_1
File: /lessons/038/terraform/subnets.tf:4-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
4 | resource "aws_subnet" "public_1" {
5 | # The VPC ID.
6 | vpc_id = aws_vpc.main.id
7 |
8 | # The CIDR block for the subnet.
9 | cidr_block = "192.168.0.0/18"
10 |
11 | # The AZ for the subnet.
12 | availability_zone = "us-east-1a"
13 |
14 | # Required for EKS. Instances launched into the subnet should be assigned a public IP address.
15 | map_public_ip_on_launch = true
16 |
17 | # A map of tags to assign to the resource.
18 | tags = {
19 | Name = "public-us-east-1a"
20 | "kubernetes.io/cluster/eks" = "shared"
21 | "kubernetes.io/role/elb" = 1
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_2
File: /lessons/038/terraform/subnets.tf:25-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_2" {
26 | # The VPC ID
27 | vpc_id = aws_vpc.main.id
28 |
29 | # The CIDR block for the subnet.
30 | cidr_block = "192.168.64.0/18"
31 |
32 | # The AZ for the subnet.
33 | availability_zone = "us-east-1b"
34 |
35 | # Required for EKS. Instances launched into the subnet should be assigned a public IP address.
36 | map_public_ip_on_launch = true
37 |
38 | # A map of tags to assign to the resource.
39 | tags = {
40 | Name = "public-us-east-1b"
41 | "kubernetes.io/cluster/eks" = "shared"
42 | "kubernetes.io/role/elb" = 1
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.blue
File: /lessons/063/blue.tf:22-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
22 | resource "aws_lb_target_group" "blue" {
23 | name = "blue-tg-blue-lb"
24 | port = 80
25 | protocol = "HTTP"
26 | vpc_id = local.vpc_id
27 |
28 | health_check {
29 | port = 80
30 | protocol = "HTTP"
31 | timeout = 5
32 | interval = 10
33 | }
34 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.green
File: /lessons/063/green.tf:22-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
22 | resource "aws_lb_target_group" "green" {
23 | name = "green-tg-green-lb"
24 | port = 80
25 | protocol = "HTTP"
26 | vpc_id = local.vpc_id
27 |
28 | health_check {
29 | port = 80
30 | protocol = "HTTP"
31 | timeout = 5
32 | interval = 10
33 | }
34 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web
File: /lessons/063/main.tf:40-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
40 | resource "aws_security_group" "web" {
41 | name = "web-sg"
42 | description = "Security group for web-servers with HTTP ports open within VPC"
43 | vpc_id = local.vpc_id
44 |
45 | ingress {
46 | from_port = 80
47 | to_port = 80
48 | protocol = "tcp"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | egress {
53 | from_port = 0
54 | to_port = 0
55 | protocol = "-1"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | ipv6_cidr_blocks = ["::/0"]
58 | }
59 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web
File: /lessons/063/main.tf:40-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
40 | resource "aws_security_group" "web" {
41 | name = "web-sg"
42 | description = "Security group for web-servers with HTTP ports open within VPC"
43 | vpc_id = local.vpc_id
44 |
45 | ingress {
46 | from_port = 80
47 | to_port = 80
48 | protocol = "tcp"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | egress {
53 | from_port = 0
54 | to_port = 0
55 | protocol = "-1"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | ipv6_cidr_blocks = ["::/0"]
58 | }
59 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.app
File: /lessons/063/main.tf:77-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
77 | resource "aws_lb_listener" "app" {
78 | load_balancer_arn = aws_lb.app.arn
79 | port = "80"
80 | protocol = "HTTP"
81 |
82 | default_action {
83 | type = "forward"
84 | # target_group_arn = aws_lb_target_group.blue.arn
85 | forward {
86 | target_group {
87 | arn = aws_lb_target_group.blue.arn
88 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "blue", 100)
89 | }
90 |
91 | target_group {
92 | arn = aws_lb_target_group.green.arn
93 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "green", 0)
94 | }
95 |
96 | stickiness {
97 | enabled = false
98 | duration = 1
99 | }
100 | }
101 | }
102 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/069/terraform/3-vpc.tf:11-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
11 | resource "google_compute_subnetwork" "private" {
12 | name = "private"
13 | project = google_compute_shared_vpc_host_project.host.project
14 | ip_cidr_range = "10.5.0.0/20"
15 | region = local.region
16 | network = google_compute_network.main.self_link
17 | private_ip_google_access = true
18 |
19 | # secondary_ip_range {
20 | # range_name = "pod-ip-range"
21 | # ip_cidr_range = "10.0.0.0/14"
22 | # }
23 |
24 | # secondary_ip_range {
25 | # range_name = "services-ip-range"
26 | # ip_cidr_range = "10.4.0.0/19"
27 | # }
28 |
29 | dynamic "secondary_ip_range" {
30 | for_each = local.secondary_ip_ranges
31 |
32 | content {
33 | range_name = secondary_ip_range.key
34 | ip_cidr_range = secondary_ip_range.value
35 | }
36 | }
37 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/069/terraform/3-vpc.tf:11-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
11 | resource "google_compute_subnetwork" "private" {
12 | name = "private"
13 | project = google_compute_shared_vpc_host_project.host.project
14 | ip_cidr_range = "10.5.0.0/20"
15 | region = local.region
16 | network = google_compute_network.main.self_link
17 | private_ip_google_access = true
18 |
19 | # secondary_ip_range {
20 | # range_name = "pod-ip-range"
21 | # ip_cidr_range = "10.0.0.0/14"
22 | # }
23 |
24 | # secondary_ip_range {
25 | # range_name = "services-ip-range"
26 | # ip_cidr_range = "10.4.0.0/19"
27 | # }
28 |
29 | dynamic "secondary_ip_range" {
30 | for_each = local.secondary_ip_ranges
31 |
32 | content {
33 | range_name = secondary_ip_range.key
34 | ip_cidr_range = secondary_ip_range.value
35 | }
36 | }
37 | }
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_20: "Ensure master authorized networks is set to enabled in GKE clusters"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-12.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_13: "Ensure client certificate authentication to Kubernetes Engine Clusters is disabled"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-8.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/069/terraform/7-kubernetes.tf:47-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
47 | resource "google_container_node_pool" "general" {
48 | name = "general"
49 | location = local.region
50 | cluster = google_container_cluster.gke.name
51 | project = local.service_project_id
52 | node_count = 1
53 |
54 | management {
55 | auto_repair = true
56 | auto_upgrade = true
57 | }
58 |
59 | node_config {
60 | labels = {
61 | role = "general"
62 | }
63 | machine_type = "e2-medium"
64 |
65 | service_account = google_service_account.k8s-staging.email
66 | oauth_scopes = [
67 | "https://www.googleapis.com/auth/cloud-platform"
68 | ]
69 | }
70 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/069/terraform/7-kubernetes.tf:47-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
47 | resource "google_container_node_pool" "general" {
48 | name = "general"
49 | location = local.region
50 | cluster = google_container_cluster.gke.name
51 | project = local.service_project_id
52 | node_count = 1
53 |
54 | management {
55 | auto_repair = true
56 | auto_upgrade = true
57 | }
58 |
59 | node_config {
60 | labels = {
61 | role = "general"
62 | }
63 | machine_type = "e2-medium"
64 |
65 | service_account = google_service_account.k8s-staging.email
66 | oauth_scopes = [
67 | "https://www.googleapis.com/auth/cloud-platform"
68 | ]
69 | }
70 | }
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: google_container_node_pool.general
File: /lessons/069/terraform/7-kubernetes.tf:47-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
47 | resource "google_container_node_pool" "general" {
48 | name = "general"
49 | location = local.region
50 | cluster = google_container_cluster.gke.name
51 | project = local.service_project_id
52 | node_count = 1
53 |
54 | management {
55 | auto_repair = true
56 | auto_upgrade = true
57 | }
58 |
59 | node_config {
60 | labels = {
61 | role = "general"
62 | }
63 | machine_type = "e2-medium"
64 |
65 | service_account = google_service_account.k8s-staging.email
66 | oauth_scopes = [
67 | "https://www.googleapis.com/auth/cloud-platform"
68 | ]
69 | }
70 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.lb
File: /lessons/069/terraform/8-firewall.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
1 | resource "google_compute_firewall" "lb" {
2 | name = "k8s-fw-abdca8a7bd83f4a84a8fb7a869242967"
3 | network = google_compute_network.main.name
4 | project = local.host_project_id
5 | description = "{\"kubernetes.io/service-name\":\"default/nginx\", \"kubernetes.io/service-ip\":\"35.235.121.183\"}"
6 |
7 | allow {
8 | protocol = "tcp"
9 | ports = ["80"]
10 | }
11 |
12 | source_ranges = ["0.0.0.0/0"]
13 | target_tags = ["gke-gke-08c5d5fb-node"]
14 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/091/terraform/3-subnets.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
27 | resource "aws_subnet" "public-us-east-1a" {
28 | vpc_id = aws_vpc.main.id
29 | cidr_block = "10.0.64.0/19"
30 | availability_zone = "us-east-1a"
31 | map_public_ip_on_launch = true
32 |
33 | tags = {
34 | "Name" = "public-us-east-1a"
35 | "kubernetes.io/role/elb" = "1"
36 | "kubernetes.io/cluster/demo" = "owned"
37 | }
38 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/091/terraform/3-subnets.tf:40-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
40 | resource "aws_subnet" "public-us-east-1b" {
41 | vpc_id = aws_vpc.main.id
42 | cidr_block = "10.0.96.0/19"
43 | availability_zone = "us-east-1b"
44 | map_public_ip_on_launch = true
45 |
46 | tags = {
47 | "Name" = "public-us-east-1b"
48 | "kubernetes.io/role/elb" = "1"
49 | "kubernetes.io/cluster/demo" = "owned"
50 | }
51 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/099/terraform/3-subnets.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
27 | resource "aws_subnet" "public-us-east-1a" {
28 | vpc_id = aws_vpc.main.id
29 | cidr_block = "10.0.64.0/19"
30 | availability_zone = "us-east-1a"
31 | map_public_ip_on_launch = true
32 |
33 | tags = {
34 | "Name" = "public-us-east-1a"
35 | "kubernetes.io/role/elb" = "1"
36 | "kubernetes.io/cluster/demo" = "owned"
37 | }
38 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/099/terraform/3-subnets.tf:40-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
40 | resource "aws_subnet" "public-us-east-1b" {
41 | vpc_id = aws_vpc.main.id
42 | cidr_block = "10.0.96.0/19"
43 | availability_zone = "us-east-1b"
44 | map_public_ip_on_launch = true
45 |
46 | tags = {
47 | "Name" = "public-us-east-1b"
48 | "kubernetes.io/role/elb" = "1"
49 | "kubernetes.io/cluster/demo" = "owned"
50 | }
51 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.eks-with-disks
File: /lessons/099/terraform/7-nodes.tf:70-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
70 | resource "aws_launch_template" "eks-with-disks" {
71 | name = "eks-with-disks"
72 |
73 | key_name = "local-provisioner"
74 |
75 | block_device_mappings {
76 | device_name = "/dev/xvdb"
77 |
78 | ebs {
79 | volume_size = 50
80 | volume_type = "gp2"
81 | }
82 | }
83 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.web
File: /lessons/101/2-example.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
29 | resource "google_compute_firewall" "web" {
30 | name = "web-access"
31 | network = local.network
32 |
33 | allow {
34 | protocol = "tcp"
35 | ports = ["80"]
36 | }
37 |
38 | source_ranges = ["0.0.0.0/0"]
39 | target_service_accounts = [google_service_account.nginx.email]
40 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/102/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/102/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/104/terraform/3-subnets.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
1 | resource "aws_subnet" "public-us-east-1a" {
2 | vpc_id = aws_vpc.main.id
3 | cidr_block = "10.0.64.0/19"
4 | availability_zone = "us-east-1a"
5 | map_public_ip_on_launch = true
6 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.monitoring
File: /lessons/104/terraform/6-sg.tf:1-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.monitoring
File: /lessons/104/terraform/6-sg.tf:1-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/105/aws-terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/105/aws-terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/108/terraform/3-subnets.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
2 | resource "google_compute_subnetwork" "private" {
3 | name = "private"
4 | ip_cidr_range = "10.0.0.0/18"
5 | region = "us-central1"
6 | network = google_compute_network.main.id
7 | private_ip_google_access = true
8 |
9 | secondary_ip_range {
10 | range_name = "k8s-pod-range"
11 | ip_cidr_range = "10.48.0.0/14"
12 | }
13 | secondary_ip_range {
14 | range_name = "k8s-service-range"
15 | ip_cidr_range = "10.52.0.0/20"
16 | }
17 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/108/terraform/3-subnets.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
2 | resource "google_compute_subnetwork" "private" {
3 | name = "private"
4 | ip_cidr_range = "10.0.0.0/18"
5 | region = "us-central1"
6 | network = google_compute_network.main.id
7 | private_ip_google_access = true
8 |
9 | secondary_ip_range {
10 | range_name = "k8s-pod-range"
11 | ip_cidr_range = "10.48.0.0/14"
12 | }
13 | secondary_ip_range {
14 | range_name = "k8s-service-range"
15 | ip_cidr_range = "10.52.0.0/20"
16 | }
17 | }
Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
FAILED for resource: google_compute_firewall.allow-ssh
File: /lessons/108/terraform/6-firewalls.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
2 | resource "google_compute_firewall" "allow-ssh" {
3 | name = "allow-ssh"
4 | network = google_compute_network.main.name
5 |
6 | allow {
7 | protocol = "tcp"
8 | ports = ["22"]
9 | }
10 |
11 | source_ranges = ["0.0.0.0/0"]
12 | }
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_20: "Ensure master authorized networks is set to enabled in GKE clusters"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_13: "Ensure client certificate authentication to Kubernetes Engine Clusters is disabled"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/108/terraform/8-node-pools.tf:7-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
7 | resource "google_container_node_pool" "general" {
8 | name = "general"
9 | cluster = google_container_cluster.primary.id
10 | node_count = 1
11 |
12 | management {
13 | auto_repair = true
14 | auto_upgrade = true
15 | }
16 |
17 | node_config {
18 | preemptible = false
19 | machine_type = "e2-small"
20 |
21 | labels = {
22 | role = "general"
23 | }
24 |
25 | service_account = google_service_account.kubernetes.email
26 | oauth_scopes = [
27 | "https://www.googleapis.com/auth/cloud-platform"
28 | ]
29 | }
30 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/108/terraform/8-node-pools.tf:7-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
7 | resource "google_container_node_pool" "general" {
8 | name = "general"
9 | cluster = google_container_cluster.primary.id
10 | node_count = 1
11 |
12 | management {
13 | auto_repair = true
14 | auto_upgrade = true
15 | }
16 |
17 | node_config {
18 | preemptible = false
19 | machine_type = "e2-small"
20 |
21 | labels = {
22 | role = "general"
23 | }
24 |
25 | service_account = google_service_account.kubernetes.email
26 | oauth_scopes = [
27 | "https://www.googleapis.com/auth/cloud-platform"
28 | ]
29 | }
30 | }
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: google_container_node_pool.general
File: /lessons/108/terraform/8-node-pools.tf:7-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
7 | resource "google_container_node_pool" "general" {
8 | name = "general"
9 | cluster = google_container_cluster.primary.id
10 | node_count = 1
11 |
12 | management {
13 | auto_repair = true
14 | auto_upgrade = true
15 | }
16 |
17 | node_config {
18 | preemptible = false
19 | machine_type = "e2-small"
20 |
21 | labels = {
22 | role = "general"
23 | }
24 |
25 | service_account = google_service_account.kubernetes.email
26 | oauth_scopes = [
27 | "https://www.googleapis.com/auth/cloud-platform"
28 | ]
29 | }
30 | }
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: google_container_node_pool.spot
File: /lessons/108/terraform/8-node-pools.tf:32-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
32 | resource "google_container_node_pool" "spot" {
33 | name = "spot"
34 | cluster = google_container_cluster.primary.id
35 |
36 | management {
37 | auto_repair = true
38 | auto_upgrade = true
39 | }
40 |
41 | autoscaling {
42 | min_node_count = 0
43 | max_node_count = 10
44 | }
45 |
46 | node_config {
47 | preemptible = true
48 | machine_type = "e2-small"
49 |
50 | labels = {
51 | team = "devops"
52 | }
53 |
54 | taint {
55 | key = "instance_type"
56 | value = "spot"
57 | effect = "NO_SCHEDULE"
58 | }
59 |
60 | service_account = google_service_account.kubernetes.email
61 | oauth_scopes = [
62 | "https://www.googleapis.com/auth/cloud-platform"
63 | ]
64 | }
65 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_node_pool.spot
File: /lessons/108/terraform/8-node-pools.tf:32-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
32 | resource "google_container_node_pool" "spot" {
33 | name = "spot"
34 | cluster = google_container_cluster.primary.id
35 |
36 | management {
37 | auto_repair = true
38 | auto_upgrade = true
39 | }
40 |
41 | autoscaling {
42 | min_node_count = 0
43 | max_node_count = 10
44 | }
45 |
46 | node_config {
47 | preemptible = true
48 | machine_type = "e2-small"
49 |
50 | labels = {
51 | team = "devops"
52 | }
53 |
54 | taint {
55 | key = "instance_type"
56 | value = "spot"
57 | effect = "NO_SCHEDULE"
58 | }
59 |
60 | service_account = google_service_account.kubernetes.email
61 | oauth_scopes = [
62 | "https://www.googleapis.com/auth/cloud-platform"
63 | ]
64 | }
65 | }
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: google_container_node_pool.spot
File: /lessons/108/terraform/8-node-pools.tf:32-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
32 | resource "google_container_node_pool" "spot" {
33 | name = "spot"
34 | cluster = google_container_cluster.primary.id
35 |
36 | management {
37 | auto_repair = true
38 | auto_upgrade = true
39 | }
40 |
41 | autoscaling {
42 | min_node_count = 0
43 | max_node_count = 10
44 | }
45 |
46 | node_config {
47 | preemptible = true
48 | machine_type = "e2-small"
49 |
50 | labels = {
51 | team = "devops"
52 | }
53 |
54 | taint {
55 | key = "instance_type"
56 | value = "spot"
57 | effect = "NO_SCHEDULE"
58 | }
59 |
60 | service_account = google_service_account.kubernetes.email
61 | oauth_scopes = [
62 | "https://www.googleapis.com/auth/cloud-platform"
63 | ]
64 | }
65 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/112/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/112/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.eks
File: /lessons/113/terraform/13-efs.tf:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
1 | resource "aws_efs_file_system" "eks" {
2 | creation_token = "eks"
3 |
4 | performance_mode = "generalPurpose"
5 | throughput_mode = "bursting"
6 | encrypted = true
7 |
8 | # lifecycle_policy {
9 | # transition_to_ia = "AFTER_30_DAYS"
10 | # }
11 |
12 | tags = {
13 | Name = "eks"
14 | }
15 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/113/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/113/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/114/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/114/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/115/terraform/2-hello-lambda.tf:39-43
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/115/terraform/2-hello-lambda.tf:39-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.main_api_gw
File: /lessons/115/terraform/3-api-gateway.tf:31-35
31 | resource "aws_cloudwatch_log_group" "main_api_gw" {
32 | name = "/aws/api-gw/${aws_apigatewayv2_api.main.name}"
33 |
34 | retention_in_days = 14
35 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.main_api_gw
File: /lessons/115/terraform/3-api-gateway.tf:31-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
31 | resource "aws_cloudwatch_log_group" "main_api_gw" {
32 | name = "/aws/api-gw/${aws_apigatewayv2_api.main.name}"
33 |
34 | retention_in_days = 14
35 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_hello
File: /lessons/115/terraform/4-hello-api-gateway.tf:9-14
9 | resource "aws_apigatewayv2_route" "get_hello" {
10 | api_id = aws_apigatewayv2_api.main.id
11 |
12 | route_key = "GET /hello"
13 | target = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
14 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.post_hello
File: /lessons/115/terraform/4-hello-api-gateway.tf:16-21
16 | resource "aws_apigatewayv2_route" "post_hello" {
17 | api_id = aws_apigatewayv2_api.main.id
18 |
19 | route_key = "POST /hello"
20 | target = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
21 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.s3
File: /lessons/115/terraform/6-s3-lambda.tf:61-65
61 | resource "aws_cloudwatch_log_group" "s3" {
62 | name = "/aws/lambda/${aws_lambda_function.s3.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.s3
File: /lessons/115/terraform/6-s3-lambda.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "s3" {
62 | name = "/aws/lambda/${aws_lambda_function.s3.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/116/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/116/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.dev
File: /lessons/116/terraform/8-api-gateway.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "dev" {
7 | api_id = aws_apigatewayv2_api.main.id
8 |
9 | name = "dev"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/116/terraform/9-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = aws_vpc.main.id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_echo
File: /lessons/116/terraform/9-integration.tf:32-37
32 | resource "aws_apigatewayv2_route" "get_echo" {
33 | api_id = aws_apigatewayv2_api.main.id
34 |
35 | route_key = "GET /echo"
36 | target = "integrations/${aws_apigatewayv2_integration.eks.id}"
37 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.staging
File: /lessons/117/terraform/1-api-gateway.tf:6-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "staging" {
7 | name = "staging"
8 | api_id = aws_apigatewayv2_api.main.id
9 | auto_deploy = true
10 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/117/terraform/3-hello-lambda.tf:39-43
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/117/terraform/3-hello-lambda.tf:39-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_hello
File: /lessons/117/terraform/4-hello-api-gateway.tf:9-14
9 | resource "aws_apigatewayv2_route" "get_hello" {
10 | api_id = aws_apigatewayv2_api.main.id
11 |
12 | route_key = "GET /hello"
13 | target = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
14 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api
File: /lessons/117/terraform/5-certificate.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
1 | resource "aws_acm_certificate" "api" {
2 | domain_name = "api.antonputra.com"
3 | validation_method = "DNS"
4 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my-app-example-2
File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
20 | resource "aws_lb" "my-app-example-2" {
21 | name = "my-app-example-2"
22 | internal = true
23 | load_balancer_type = "network"
24 |
25 | subnets = [
26 | aws_subnet.private-us-east-1a.id,
27 | aws_subnet.private-us-east-1b.id
28 | ]
29 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.my-app-example-2
File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
20 | resource "aws_lb" "my-app-example-2" {
21 | name = "my-app-example-2"
22 | internal = true
23 | load_balancer_type = "network"
24 |
25 | subnets = [
26 | aws_subnet.private-us-east-1a.id,
27 | aws_subnet.private-us-east-1b.id
28 | ]
29 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my-app-example-2
File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
20 | resource "aws_lb" "my-app-example-2" {
21 | name = "my-app-example-2"
22 | internal = true
23 | load_balancer_type = "network"
24 |
25 | subnets = [
26 | aws_subnet.private-us-east-1a.id,
27 | aws_subnet.private-us-east-1b.id
28 | ]
29 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.staging
File: /lessons/118/terraform/12-api-gw-example-2.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "staging" {
7 | api_id = aws_apigatewayv2_api.api-gw-example-2.id
8 |
9 | name = "staging"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.api-gw-example-2
File: /lessons/118/terraform/12-api-gw-example-2.tf:32-37
32 | resource "aws_apigatewayv2_route" "api-gw-example-2" {
33 | api_id = aws_apigatewayv2_api.api-gw-example-2.id
34 |
35 | route_key = "ANY /{proxy+}"
36 | target = "integrations/${aws_apigatewayv2_integration.api-gw-example-2.id}"
37 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api
File: /lessons/118/terraform/13-certificate-example-2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
1 | resource "aws_acm_certificate" "api" {
2 | domain_name = "api.antonputra.com"
3 | validation_method = "DNS"
4 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my-app-example-3
File: /lessons/118/terraform/15-sg-example-3.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Health Checks"
8 | from_port = 8080
9 | to_port = 8080
10 | protocol = "tcp"
11 | cidr_blocks = [aws_vpc.main.cidr_block]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.my-app-example-3
File: /lessons/118/terraform/16-launch-template-example-3.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_launch_template" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | image_id = "ami-0d5482f3cb962780f"
4 | key_name = "devops"
5 | vpc_security_group_ids = [aws_security_group.my-app-example-3.id]
6 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my-app-example-3
File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
13 | resource "aws_lb" "my-app-example-3" {
14 | name = "my-app-example-3"
15 | internal = true
16 | load_balancer_type = "network"
17 |
18 | subnets = [
19 | aws_subnet.private-us-east-1a.id,
20 | aws_subnet.private-us-east-1b.id
21 | ]
22 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.my-app-example-3
File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
13 | resource "aws_lb" "my-app-example-3" {
14 | name = "my-app-example-3"
15 | internal = true
16 | load_balancer_type = "network"
17 |
18 | subnets = [
19 | aws_subnet.private-us-east-1a.id,
20 | aws_subnet.private-us-east-1b.id
21 | ]
22 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my-app-example-3
File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
13 | resource "aws_lb" "my-app-example-3" {
14 | name = "my-app-example-3"
15 | internal = true
16 | load_balancer_type = "network"
17 |
18 | subnets = [
19 | aws_subnet.private-us-east-1a.id,
20 | aws_subnet.private-us-east-1b.id
21 | ]
22 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.my-app-example-3
File: /lessons/118/terraform/18-ag-example-3.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
1 | resource "aws_autoscaling_group" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | min_size = 1
4 | max_size = 3
5 |
6 | health_check_type = "EC2"
7 | vpc_zone_identifier = [aws_subnet.private-us-east-1a.id, aws_subnet.private-us-east-1b.id]
8 | target_group_arns = [aws_lb_target_group.my-app-example-3.arn]
9 |
10 | mixed_instances_policy {
11 | launch_template {
12 | launch_template_specification {
13 | launch_template_id = aws_launch_template.my-app-example-3.id
14 | }
15 | override {
16 | instance_type = "t3.micro"
17 | }
18 | }
19 | }
20 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.my-app-example-3
File: /lessons/118/terraform/18-ag-example-3.tf:1-20
1 | resource "aws_autoscaling_group" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | min_size = 1
4 | max_size = 3
5 |
6 | health_check_type = "EC2"
7 | vpc_zone_identifier = [aws_subnet.private-us-east-1a.id, aws_subnet.private-us-east-1b.id]
8 | target_group_arns = [aws_lb_target_group.my-app-example-3.arn]
9 |
10 | mixed_instances_policy {
11 | launch_template {
12 | launch_template_specification {
13 | launch_template_id = aws_launch_template.my-app-example-3.id
14 | }
15 | override {
16 | instance_type = "t3.micro"
17 | }
18 | }
19 | }
20 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.dev
File: /lessons/118/terraform/19-api-gw-example-3.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "dev" {
7 | api_id = aws_apigatewayv2_api.api-gw-example-3.id
8 |
9 | name = "dev"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.api-gw-example-3
File: /lessons/118/terraform/19-api-gw-example-3.tf:32-37
32 | resource "aws_apigatewayv2_route" "api-gw-example-3" {
33 | api_id = aws_apigatewayv2_api.api-gw-example-3.id
34 |
35 | route_key = "ANY /{proxy+}"
36 | target = "integrations/${aws_apigatewayv2_integration.api-gw-example-3.id}"
37 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api-v2
File: /lessons/118/terraform/20-certificate-example-3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
1 | resource "aws_acm_certificate" "api-v2" {
2 | domain_name = "api-v2.antonputra.com"
3 | validation_method = "DNS"
4 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/118/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public-us-east-1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/118/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public-us-east-1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my-app-example-1
File: /lessons/118/terraform/6-sg-example-1.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my-app-example-1" {
2 | name = "my-app-example-1"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | ingress {
14 | from_port = 8080
15 | to_port = 8080
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | egress {
21 | from_port = 0
22 | to_port = 0
23 | protocol = "-1"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my-app-example-1
File: /lessons/118/terraform/6-sg-example-1.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "my-app-example-1" {
2 | name = "my-app-example-1"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | ingress {
14 | from_port = 8080
15 | to_port = 8080
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | egress {
21 | from_port = 0
22 | to_port = 0
23 | protocol = "-1"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.prod
File: /lessons/118/terraform/8-api-gw-example-1.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "prod" {
7 | api_id = aws_apigatewayv2_api.api-gw-example-1.id
8 |
9 | name = "prod"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.api-gw-example-1
File: /lessons/118/terraform/8-api-gw-example-1.tf:22-27
22 | resource "aws_apigatewayv2_route" "api-gw-example-1" {
23 | api_id = aws_apigatewayv2_api.api-gw-example-1.id
24 |
25 | route_key = "ANY /{proxy+}"
26 | target = "integrations/${aws_apigatewayv2_integration.api-gw-example-1.id}"
27 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my-app-example-2
File: /lessons/118/terraform/9-sg-example-2.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my-app-example-2" {
2 | name = "my-app-example-2"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Health Checks"
8 | from_port = 8080
9 | to_port = 8080
10 | protocol = "tcp"
11 | cidr_blocks = [aws_vpc.main.cidr_block]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/119/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public-us-east-1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/119/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public-us-east-1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/120/terraform/3-subnets.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
2 | resource "google_compute_subnetwork" "private" {
3 | name = "private"
4 | region = local.region
5 | ip_cidr_range = "10.0.0.0/18"
6 | stack_type = "IPV4_ONLY"
7 | network = google_compute_network.main.id
8 | private_ip_google_access = true
9 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.public
File: /lessons/120/terraform/3-subnets.tf:11-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
11 | resource "google_compute_subnetwork" "public" {
12 | name = "public"
13 | region = local.region
14 | ip_cidr_range = "10.0.64.0/18"
15 | stack_type = "IPV4_ONLY"
16 | network = google_compute_network.main.id
17 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.public
File: /lessons/120/terraform/3-subnets.tf:11-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
11 | resource "google_compute_subnetwork" "public" {
12 | name = "public"
13 | region = local.region
14 | ip_cidr_range = "10.0.64.0/18"
15 | stack_type = "IPV4_ONLY"
16 | network = google_compute_network.main.id
17 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/121/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public-us-east-1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/121/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public-us-east-1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/121/terraform/6-ec2.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my_server_ssh_access" {
2 | name = "my-server-ssh-access"
3 | description = "Allow My Server SSH Accesss"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow SSH from Anywhere"
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/121/terraform/6-ec2.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "my_server_ssh_access" {
2 | name = "my-server-ssh-access"
3 | description = "Allow My Server SSH Accesss"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow SSH from Anywhere"
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/122/terraform/3-subnets.tf:24-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
24 | resource "aws_subnet" "public_us_east_1a" {
25 | vpc_id = aws_vpc.main.id
26 | cidr_block = "10.0.64.0/19"
27 | availability_zone = "us-east-1a"
28 | map_public_ip_on_launch = true
29 |
30 | tags = {
31 | "Name" = "public-us-east-1a"
32 | }
33 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/122/terraform/3-subnets.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "public_us_east_1b" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.96.0/19"
39 | availability_zone = "us-east-1b"
40 | map_public_ip_on_launch = true
41 |
42 | tags = {
43 | "Name" = "public-us-east-1b"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/122/terraform/6-ec2.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "my_server_ssh_access" {
3 | name = "my-server-ssh-access"
4 | description = "Allow My Server SSH Accesss"
5 | vpc_id = aws_vpc.main.id
6 |
7 | ingress {
8 | description = "Allow SSH from Anywhere"
9 | from_port = 22
10 | to_port = 22
11 | protocol = "tcp"
12 | cidr_blocks = ["0.0.0.0/0"]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/122/terraform/6-ec2.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "my_server_ssh_access" {
3 | name = "my-server-ssh-access"
4 | description = "Allow My Server SSH Accesss"
5 | vpc_id = aws_vpc.main.id
6 |
7 | ingress {
8 | description = "Allow SSH from Anywhere"
9 | from_port = 22
10 | to_port = 22
11 | protocol = "tcp"
12 | cidr_blocks = ["0.0.0.0/0"]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.alarms
File: /lessons/122/terraform/7-sns-topic.tf:28-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
28 | resource "aws_sns_topic" "alarms" {
29 | name = "alarms"
30 |
31 | # Important! Only for testing, set to log every single message
32 | # For production, set it to 0 or close
33 | lambda_success_feedback_sample_rate = 100
34 |
35 | lambda_failure_feedback_role_arn = aws_iam_role.sns_logs.arn
36 | lambda_success_feedback_role_arn = aws_iam_role.sns_logs.arn
37 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:61-65
61 | resource "aws_cloudwatch_log_group" "send_cloudwatch_alarms_to_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.send_cloudwatch_alarms_to_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "send_cloudwatch_alarms_to_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.send_cloudwatch_alarms_to_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/124/terraform/3-dynamodb.tf:1-12
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
1 | resource "aws_dynamodb_table" "meta" {
2 | name = "Meta"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 5
6 | hash_key = "LastModified"
7 |
8 | attribute {
9 | name = "LastModified"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/124/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
1 | resource "aws_dynamodb_table" "meta" {
2 | name = "Meta"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 5
6 | hash_key = "LastModified"
7 |
8 | attribute {
9 | name = "LastModified"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_nodejs" {
121 | function_name = aws_lambda_function.nodejs.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/124/terraform/5-go-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/124/terraform/5-go-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go
File: /lessons/124/terraform/5-go-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_go" {
121 | function_name = aws_lambda_function.go.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/126/terraform/3-dynamodb.tf:2-13
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
2 | resource "aws_dynamodb_table" "meta" {
3 | name = "Meta"
4 | billing_mode = "PROVISIONED"
5 | read_capacity = 5
6 | write_capacity = 1000
7 | hash_key = "LastModified"
8 |
9 | attribute {
10 | name = "LastModified"
11 | type = "S"
12 | }
13 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/126/terraform/3-dynamodb.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
2 | resource "aws_dynamodb_table" "meta" {
3 | name = "Meta"
4 | billing_mode = "PROVISIONED"
5 | read_capacity = 5
6 | write_capacity = 1000
7 | hash_key = "LastModified"
8 |
9 | attribute {
10 | name = "LastModified"
11 | type = "S"
12 | }
13 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_nodejs" {
121 | function_name = aws_lambda_function.nodejs.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.python
File: /lessons/126/terraform/4-python-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "python" {
99 | name = "/aws/lambda/${aws_lambda_function.python.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.python
File: /lessons/126/terraform/4-python-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "python" {
99 | name = "/aws/lambda/${aws_lambda_function.python.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_python
File: /lessons/126/terraform/4-python-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_python" {
121 | function_name = aws_lambda_function.python.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/127/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public_us_east_1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/127/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_us_east_1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.ec2_eg1
File: /lessons/127/terraform/6-example-1.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
14 | resource "aws_security_group" "ec2_eg1" {
15 | name = "ec2-eg1"
16 | vpc_id = aws_vpc.main.id
17 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb_eg1
File: /lessons/127/terraform/6-example-1.tf:19-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
19 | resource "aws_security_group" "alb_eg1" {
20 | name = "alb-eg1"
21 | vpc_id = aws_vpc.main.id
22 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_traffic
File: /lessons/127/terraform/6-example-1.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
24 | resource "aws_security_group_rule" "ingress_ec2_traffic" {
25 | type = "ingress"
26 | from_port = 8080
27 | to_port = 8080
28 | protocol = "tcp"
29 | security_group_id = aws_security_group.ec2_eg1.id
30 | source_security_group_id = aws_security_group.alb_eg1.id
31 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_health_check
File: /lessons/127/terraform/6-example-1.tf:33-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
33 | resource "aws_security_group_rule" "ingress_ec2_health_check" {
34 | type = "ingress"
35 | from_port = 8081
36 | to_port = 8081
37 | protocol = "tcp"
38 | security_group_id = aws_security_group.ec2_eg1.id
39 | source_security_group_id = aws_security_group.alb_eg1.id
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_alb_traffic
File: /lessons/127/terraform/6-example-1.tf:51-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
51 | resource "aws_security_group_rule" "ingress_alb_traffic" {
52 | type = "ingress"
53 | from_port = 80
54 | to_port = 80
55 | protocol = "tcp"
56 | security_group_id = aws_security_group.alb_eg1.id
57 | cidr_blocks = ["0.0.0.0/0"]
58 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.ingress_alb_traffic
File: /lessons/127/terraform/6-example-1.tf:51-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
51 | resource "aws_security_group_rule" "ingress_alb_traffic" {
52 | type = "ingress"
53 | from_port = 80
54 | to_port = 80
55 | protocol = "tcp"
56 | security_group_id = aws_security_group.alb_eg1.id
57 | cidr_blocks = ["0.0.0.0/0"]
58 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_traffic
File: /lessons/127/terraform/6-example-1.tf:60-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
60 | resource "aws_security_group_rule" "egress_alb_traffic" {
61 | type = "egress"
62 | from_port = 8080
63 | to_port = 8080
64 | protocol = "tcp"
65 | security_group_id = aws_security_group.alb_eg1.id
66 | source_security_group_id = aws_security_group.ec2_eg1.id
67 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_health_check
File: /lessons/127/terraform/6-example-1.tf:69-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
69 | resource "aws_security_group_rule" "egress_alb_health_check" {
70 | type = "egress"
71 | from_port = 8081
72 | to_port = 8081
73 | protocol = "tcp"
74 | security_group_id = aws_security_group.alb_eg1.id
75 | source_security_group_id = aws_security_group.ec2_eg1.id
76 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http_eg1
File: /lessons/127/terraform/6-example-1.tf:145-154
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
145 | resource "aws_lb_listener" "http_eg1" {
146 | load_balancer_arn = aws_lb.my_app_eg1.arn
147 | port = "80"
148 | protocol = "HTTP"
149 |
150 | default_action {
151 | type = "forward"
152 | target_group_arn = aws_lb_target_group.my_app_eg1.arn
153 | }
154 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.ec2_eg2
File: /lessons/127/terraform/7-example-2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "ec2_eg2" {
2 | name = "ec2-eg2"
3 | vpc_id = aws_vpc.main.id
4 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb_eg2
File: /lessons/127/terraform/7-example-2.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
6 | resource "aws_security_group" "alb_eg2" {
7 | name = "alb-eg2"
8 | vpc_id = aws_vpc.main.id
9 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_eg2_traffic
File: /lessons/127/terraform/7-example-2.tf:11-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
11 | resource "aws_security_group_rule" "ingress_ec2_eg2_traffic" {
12 | type = "ingress"
13 | from_port = 8080
14 | to_port = 8080
15 | protocol = "tcp"
16 | security_group_id = aws_security_group.ec2_eg2.id
17 | source_security_group_id = aws_security_group.alb_eg2.id
18 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_eg2_health_check
File: /lessons/127/terraform/7-example-2.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
20 | resource "aws_security_group_rule" "ingress_ec2_eg2_health_check" {
21 | type = "ingress"
22 | from_port = 8081
23 | to_port = 8081
24 | protocol = "tcp"
25 | security_group_id = aws_security_group.ec2_eg2.id
26 | source_security_group_id = aws_security_group.alb_eg2.id
27 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_alb_eg2_http_traffic
File: /lessons/127/terraform/7-example-2.tf:38-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
38 | resource "aws_security_group_rule" "ingress_alb_eg2_http_traffic" {
39 | type = "ingress"
40 | from_port = 80
41 | to_port = 80
42 | protocol = "tcp"
43 | security_group_id = aws_security_group.alb_eg2.id
44 | cidr_blocks = ["0.0.0.0/0"]
45 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.ingress_alb_eg2_http_traffic
File: /lessons/127/terraform/7-example-2.tf:38-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
38 | resource "aws_security_group_rule" "ingress_alb_eg2_http_traffic" {
39 | type = "ingress"
40 | from_port = 80
41 | to_port = 80
42 | protocol = "tcp"
43 | security_group_id = aws_security_group.alb_eg2.id
44 | cidr_blocks = ["0.0.0.0/0"]
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_alb_eg2_https_traffic
File: /lessons/127/terraform/7-example-2.tf:47-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
47 | resource "aws_security_group_rule" "ingress_alb_eg2_https_traffic" {
48 | type = "ingress"
49 | from_port = 443
50 | to_port = 443
51 | protocol = "tcp"
52 | security_group_id = aws_security_group.alb_eg2.id
53 | cidr_blocks = ["0.0.0.0/0"]
54 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_eg2_traffic
File: /lessons/127/terraform/7-example-2.tf:56-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group_rule" "egress_alb_eg2_traffic" {
57 | type = "egress"
58 | from_port = 8080
59 | to_port = 8080
60 | protocol = "tcp"
61 | security_group_id = aws_security_group.alb_eg2.id
62 | source_security_group_id = aws_security_group.ec2_eg2.id
63 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_eg2_health_check
File: /lessons/127/terraform/7-example-2.tf:65-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
65 | resource "aws_security_group_rule" "egress_alb_eg2_health_check" {
66 | type = "egress"
67 | from_port = 8081
68 | to_port = 8081
69 | protocol = "tcp"
70 | security_group_id = aws_security_group.alb_eg2.id
71 | source_security_group_id = aws_security_group.ec2_eg2.id
72 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:74-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
74 | resource "aws_launch_template" "my_app_eg2" {
75 | name = "my-app-eg2"
76 | image_id = "ami-07309549f34230bcd"
77 | key_name = "devops"
78 | vpc_security_group_ids = [aws_security_group.ec2_eg2.id]
79 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:99-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
99 | resource "aws_autoscaling_group" "my_app_eg2" {
100 | name = "my-app-eg2"
101 | min_size = 1
102 | max_size = 3
103 |
104 | health_check_type = "EC2"
105 |
106 | vpc_zone_identifier = [
107 | aws_subnet.private_us_east_1a.id,
108 | aws_subnet.private_us_east_1b.id
109 | ]
110 |
111 | target_group_arns = [aws_lb_target_group.my_app_eg2.arn]
112 |
113 | mixed_instances_policy {
114 | launch_template {
115 | launch_template_specification {
116 | launch_template_id = aws_launch_template.my_app_eg2.id
117 | }
118 | override {
119 | instance_type = "t3.micro"
120 | }
121 | }
122 | }
123 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:99-123
99 | resource "aws_autoscaling_group" "my_app_eg2" {
100 | name = "my-app-eg2"
101 | min_size = 1
102 | max_size = 3
103 |
104 | health_check_type = "EC2"
105 |
106 | vpc_zone_identifier = [
107 | aws_subnet.private_us_east_1a.id,
108 | aws_subnet.private_us_east_1b.id
109 | ]
110 |
111 | target_group_arns = [aws_lb_target_group.my_app_eg2.arn]
112 |
113 | mixed_instances_policy {
114 | launch_template {
115 | launch_template_specification {
116 | launch_template_id = aws_launch_template.my_app_eg2.id
117 | }
118 | override {
119 | instance_type = "t3.micro"
120 | }
121 | }
122 | }
123 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api
File: /lessons/127/terraform/7-example-2.tf:179-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
179 | resource "aws_acm_certificate" "api" {
180 | domain_name = "api.antonputra.com"
181 | validation_method = "DNS"
182 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.images
File: /lessons/128/terraform/3-dynamodb.tf:1-12
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
1 | resource "aws_dynamodb_table" "images" {
2 | name = "images"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 100
6 | hash_key = "last_modified_date"
7 |
8 | attribute {
9 | name = "last_modified_date"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.images
File: /lessons/128/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
1 | resource "aws_dynamodb_table" "images" {
2 | name = "images"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 100
6 | hash_key = "last_modified_date"
7 |
8 | attribute {
9 | name = "last_modified_date"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.rust
File: /lessons/128/terraform/4-rust-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "rust" {
99 | name = "/aws/lambda/${aws_lambda_function.rust.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.rust
File: /lessons/128/terraform/4-rust-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "rust" {
99 | name = "/aws/lambda/${aws_lambda_function.rust.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_rust
File: /lessons/128/terraform/4-rust-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_rust" {
121 | function_name = aws_lambda_function.rust.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/128/terraform/5-go-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/128/terraform/5-go-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go
File: /lessons/128/terraform/5-go-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_go" {
121 | function_name = aws_lambda_function.go.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "go_custom" {
99 | name = "/aws/lambda/${aws_lambda_function.go_custom.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "go_custom" {
99 | name = "/aws/lambda/${aws_lambda_function.go_custom.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_go_custom" {
121 | function_name = aws_lambda_function.go_custom.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:48-52
48 | resource "aws_cloudwatch_log_group" "go_hello" {
49 | name = "/aws/lambda/${aws_lambda_function.go_hello.function_name}"
50 |
51 | retention_in_days = 14
52 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:48-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
48 | resource "aws_cloudwatch_log_group" "go_hello" {
49 | name = "/aws/lambda/${aws_lambda_function.go_hello.function_name}"
50 |
51 | retention_in_days = 14
52 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:70-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
70 | resource "aws_lambda_function_url" "lambda_go_hello" {
71 | function_name = aws_lambda_function.go_hello.function_name
72 | authorization_type = "NONE"
73 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:68-72
68 | resource "aws_cloudwatch_log_group" "go" {
69 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
70 |
71 | retention_in_days = 14
72 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:68-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
68 | resource "aws_cloudwatch_log_group" "go" {
69 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
70 |
71 | retention_in_days = 14
72 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go
File: /lessons/129/terraform/3-aws-resizer-function.tf:90-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
90 | resource "aws_lambda_function_url" "lambda_go" {
91 | function_name = aws_lambda_function.go.function_name
92 | authorization_type = "NONE"
93 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.functions
File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
2 | resource "google_storage_bucket" "functions" {
3 | name = "functions-${random_id.lesson.hex}"
4 | location = "US-EAST4"
5 | force_destroy = true
6 | uniform_bucket_level_access = true
7 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.functions
File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
2 | resource "google_storage_bucket" "functions" {
3 | name = "functions-${random_id.lesson.hex}"
4 | location = "US-EAST4"
5 | force_destroy = true
6 | uniform_bucket_level_access = true
7 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.functions
File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
2 | resource "google_storage_bucket" "functions" {
3 | name = "functions-${random_id.lesson.hex}"
4 | location = "US-EAST4"
5 | force_destroy = true
6 | uniform_bucket_level_access = true
7 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.images
File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
10 | resource "google_storage_bucket" "images" {
11 | name = "images-${random_id.lesson.hex}"
12 | location = "US-EAST4"
13 | force_destroy = true
14 | uniform_bucket_level_access = true
15 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.images
File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
10 | resource "google_storage_bucket" "images" {
11 | name = "images-${random_id.lesson.hex}"
12 | location = "US-EAST4"
13 | force_destroy = true
14 | uniform_bucket_level_access = true
15 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.images
File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
10 | resource "google_storage_bucket" "images" {
11 | name = "images-${random_id.lesson.hex}"
12 | location = "US-EAST4"
13 | force_destroy = true
14 | uniform_bucket_level_access = true
15 | }
Check: CKV_GCP_102: "Ensure that GCP Cloud Run services are not anonymously or publicly accessible"
FAILED for resource: google_cloud_run_service_iam_member.hello_world_member
File: /lessons/129/terraform/6-gcp-hello-world-function.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-cloud-run-service-is-not-anonymously-or-publicly-accessible.html
45 | resource "google_cloud_run_service_iam_member" "hello_world_member" {
46 | project = google_cloudfunctions2_function.hello_world.project
47 | location = google_cloudfunctions2_function.hello_world.location
48 | service = google_cloudfunctions2_function.hello_world.name
49 | role = "roles/run.invoker"
50 | member = "allUsers"
51 | }
Check: CKV_GCP_102: "Ensure that GCP Cloud Run services are not anonymously or publicly accessible"
FAILED for resource: google_cloud_run_service_iam_member.go_member
File: /lessons/129/terraform/7-gcp-resizer-function.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-cloud-run-service-is-not-anonymously-or-publicly-accessible.html
52 | resource "google_cloud_run_service_iam_member" "go_member" {
53 | project = google_cloudfunctions2_function.go.project
54 | location = google_cloudfunctions2_function.go.location
55 | service = google_cloudfunctions2_function.go.name
56 | role = "roles/run.invoker"
57 | member = "allUsers"
58 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:24-28
24 | resource "aws_cloudwatch_log_group" "go_gs" {
25 | name = "/aws/lambda/${aws_lambda_function.go_gs.function_name}"
26 |
27 | retention_in_days = 14
28 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:24-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
24 | resource "aws_cloudwatch_log_group" "go_gs" {
25 | name = "/aws/lambda/${aws_lambda_function.go_gs.function_name}"
26 |
27 | retention_in_days = 14
28 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:46-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
46 | resource "aws_lambda_function_url" "lambda_go_gs" {
47 | function_name = aws_lambda_function.go_gs.function_name
48 | authorization_type = "NONE"
49 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_app
File: /lessons/130/terraform/12-ec2.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my_app" {
2 | name = "my-app"
3 | description = "Allow My App Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Node Exporter Access"
8 | from_port = 9100
9 | to_port = 9100
10 | protocol = "tcp"
11 | security_groups = [aws_eks_cluster.demo.vpc_config[0].cluster_security_group_id]
12 | }
13 |
14 | ingress {
15 | description = "Allow SSH Access"
16 | from_port = 22
17 | to_port = 22
18 | protocol = "tcp"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | egress {
23 | from_port = 0
24 | to_port = 0
25 | protocol = "-1"
26 | cidr_blocks = ["0.0.0.0/0"]
27 | }
28 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_app
File: /lessons/130/terraform/12-ec2.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "my_app" {
2 | name = "my-app"
3 | description = "Allow My App Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Node Exporter Access"
8 | from_port = 9100
9 | to_port = 9100
10 | protocol = "tcp"
11 | security_groups = [aws_eks_cluster.demo.vpc_config[0].cluster_security_group_id]
12 | }
13 |
14 | ingress {
15 | description = "Allow SSH Access"
16 | from_port = 22
17 | to_port = 22
18 | protocol = "tcp"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | egress {
23 | from_port = 0
24 | to_port = 0
25 | protocol = "-1"
26 | cidr_blocks = ["0.0.0.0/0"]
27 | }
28 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/130/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_us_east_1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/130/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_us_east_1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/130/terraform/9-prometheus.tf:1-4
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/130/terraform/9-prometheus.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:61-65
61 | resource "aws_cloudwatch_log_group" "prometheus_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "prometheus_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:61-65
61 | resource "aws_cloudwatch_log_group" "prometheus_pagerduty" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_pagerduty.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "prometheus_pagerduty" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_pagerduty.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/131/terraform/3-subnet.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
1 | resource "aws_subnet" "public_us_east_1a" {
2 | vpc_id = aws_vpc.main.id
3 | cidr_block = "10.0.0.0/19"
4 | availability_zone = "us-east-1a"
5 | map_public_ip_on_launch = true
6 |
7 | tags = {
8 | "Name" = "public-us-east-1a"
9 | }
10 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_app
File: /lessons/131/terraform/5-ec2.tf:36-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
36 | resource "aws_security_group" "my_app" {
37 | name = "my-app"
38 | description = "Allow My App Access"
39 | vpc_id = aws_vpc.main.id
40 |
41 | ingress {
42 | description = "Allow SSH Access"
43 | from_port = 22
44 | to_port = 22
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | ingress {
50 | description = "Allow Prometheus UI Access (only for demo)"
51 | from_port = 9090
52 | to_port = 9090
53 | protocol = "tcp"
54 | cidr_blocks = ["0.0.0.0/0"]
55 | }
56 |
57 | egress {
58 | from_port = 0
59 | to_port = 0
60 | protocol = "-1"
61 | cidr_blocks = ["0.0.0.0/0"]
62 | }
63 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_app
File: /lessons/131/terraform/5-ec2.tf:36-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
36 | resource "aws_security_group" "my_app" {
37 | name = "my-app"
38 | description = "Allow My App Access"
39 | vpc_id = aws_vpc.main.id
40 |
41 | ingress {
42 | description = "Allow SSH Access"
43 | from_port = 22
44 | to_port = 22
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | ingress {
50 | description = "Allow Prometheus UI Access (only for demo)"
51 | from_port = 9090
52 | to_port = 9090
53 | protocol = "tcp"
54 | cidr_blocks = ["0.0.0.0/0"]
55 | }
56 |
57 | egress {
58 | from_port = 0
59 | to_port = 0
60 | protocol = "-1"
61 | cidr_blocks = ["0.0.0.0/0"]
62 | }
63 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/131/terraform/6-prometheus.tf:1-4
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/131/terraform/6-prometheus.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.alarms
File: /lessons/131/terraform/7-sns-topic.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
4 | resource "aws_sns_topic" "alarms" {
5 | name = "alarms"
6 |
7 | policy = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/154/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_us_east_1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/154/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_us_east_1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/155/eks-terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_us_east_1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/155/eks-terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_us_east_1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.eks_console_access
File: /lessons/156/terraform/11-developer-role.tf:40-67
40 | resource "aws_iam_policy" "eks_console_access" {
41 | name = "EKSConsoleAccess"
42 |
43 | policy = < index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example
File: /lessons/164/main.tf:35-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
35 | resource "aws_launch_configuration" "example" {
36 | image_id = "ami-0a695f0d95cefc163"
37 | instance_type = "t3.micro"
38 | security_groups = [aws_security_group.instance.id]
39 |
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World" > index.html
43 | nohup busybox httpd -f -p ${var.server_port} &
44 | EOF
45 |
46 | # Required with an autoscaling group.
47 | lifecycle {
48 | create_before_destroy = true
49 | }
50 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example
File: /lessons/164/main.tf:35-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
35 | resource "aws_launch_configuration" "example" {
36 | image_id = "ami-0a695f0d95cefc163"
37 | instance_type = "t3.micro"
38 | security_groups = [aws_security_group.instance.id]
39 |
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World" > index.html
43 | nohup busybox httpd -f -p ${var.server_port} &
44 | EOF
45 |
46 | # Required with an autoscaling group.
47 | lifecycle {
48 | create_before_destroy = true
49 | }
50 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /lessons/164/main.tf:52-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
52 | resource "aws_security_group" "instance" {
53 | name = "web"
54 |
55 | ingress {
56 | from_port = var.server_port
57 | to_port = var.server_port
58 | protocol = "tcp"
59 | cidr_blocks = ["0.0.0.0/0"]
60 | }
61 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example
File: /lessons/164/main.tf:63-78
63 | resource "aws_autoscaling_group" "example" {
64 | launch_configuration = aws_launch_configuration.example.name
65 | vpc_zone_identifier = data.aws_subnets.default.ids
66 |
67 | target_group_arns = [aws_lb_target_group.asg.arn]
68 | health_check_type = "ELB"
69 |
70 | min_size = 2
71 | max_size = 10
72 |
73 | tag {
74 | key = "Name"
75 | value = "web"
76 | propagate_at_launch = true
77 | }
78 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http
File: /lessons/164/main.tf:87-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
87 | resource "aws_lb_listener" "http" {
88 | load_balancer_arn = aws_lb.example.arn
89 | port = 80
90 | protocol = "HTTP"
91 |
92 | # By default, it just shows a simple 404 page
93 | default_action {
94 | type = "fixed-response"
95 |
96 | fixed_response {
97 | content_type = "text/plain"
98 | message_body = "404: page not found"
99 | status_code = 404
100 | }
101 | }
102 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /lessons/164/main.tf:104-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
104 | resource "aws_security_group" "alb" {
105 | name = "web-alb"
106 | # Allow inbound HTTP requests
107 | ingress {
108 | from_port = 80
109 | to_port = 80
110 | protocol = "tcp"
111 | cidr_blocks = ["0.0.0.0/0"]
112 | }
113 |
114 | # Allow all outbound requests
115 | egress {
116 | from_port = 0
117 | to_port = 0
118 | protocol = "-1"
119 | cidr_blocks = ["0.0.0.0/0"]
120 | }
121 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.alb
File: /lessons/164/main.tf:104-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
104 | resource "aws_security_group" "alb" {
105 | name = "web-alb"
106 | # Allow inbound HTTP requests
107 | ingress {
108 | from_port = 80
109 | to_port = 80
110 | protocol = "tcp"
111 | cidr_blocks = ["0.0.0.0/0"]
112 | }
113 |
114 | # Allow all outbound requests
115 | egress {
116 | from_port = 0
117 | to_port = 0
118 | protocol = "-1"
119 | cidr_blocks = ["0.0.0.0/0"]
120 | }
121 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/1-example/main.tf:39-48
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/1-example/main.tf:39-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/global/s3/main.tf:39-48
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/global/s3/main.tf:39-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /lessons/165/staging/services/web/main.tf:11-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
11 | resource "aws_security_group" "instance" {
12 | name = "web"
13 |
14 | ingress {
15 | from_port = var.server_port
16 | to_port = var.server_port
17 | protocol = "tcp"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.dev
File: /lessons/167/terraform/11-api-gateway.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "dev" {
7 | api_id = aws_apigatewayv2_api.main.id
8 |
9 | name = "dev"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/167/terraform/12-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = module.vpc.vpc_id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_echo
File: /lessons/167/terraform/12-integration.tf:29-34
29 | resource "aws_apigatewayv2_route" "get_echo" {
30 | api_id = aws_apigatewayv2_api.main.id
31 |
32 | route_key = "GET /echo"
33 | target = "integrations/${aws_apigatewayv2_integration.eks.id}"
34 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_web
File: /lessons/167/terraform/5-sg.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group_rule" "allow_web" {
2 | type = "ingress"
3 | from_port = 80
4 | to_port = 80
5 | protocol = "tcp"
6 | cidr_blocks = ["0.0.0.0/0"]
7 | security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
8 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.allow_web
File: /lessons/167/terraform/5-sg.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
1 | resource "aws_security_group_rule" "allow_web" {
2 | type = "ingress"
3 | from_port = 80
4 | to_port = 80
5 | protocol = "tcp"
6 | cidr_blocks = ["0.0.0.0/0"]
7 | security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
8 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_web_node_port
File: /lessons/167/terraform/5-sg.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
10 | resource "aws_security_group_rule" "allow_web_node_port" {
11 | type = "ingress"
12 | from_port = 30010
13 | to_port = 30010
14 | protocol = "tcp"
15 | cidr_blocks = ["0.0.0.0/0"]
16 | security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
17 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_zone1
File: /lessons/175/terraform/4-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_zone1" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = local.zone1
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "${local.env}-public-${local.zone1}"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${local.env}-${local.eks_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_zone2
File: /lessons/175/terraform/4-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_zone2" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = local.zone2
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "${local.env}-public-${local.zone2}"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${local.env}-${local.eks_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.main
File: /lessons/120/terraform/2-vpc.tf:9-16
9 | resource "google_compute_network" "main" {
10 | name = "main"
11 | routing_mode = "REGIONAL"
12 | auto_create_subnetworks = false
13 | delete_default_routes_on_create = true
14 |
15 | depends_on = [google_project_service.compute]
16 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.main
File: /lessons/132/terraform/2-vpc.tf:1-10
1 | resource "google_compute_network" "main" {
2 | name = "main"
3 | routing_mode = "REGIONAL"
4 | auto_create_subnetworks = false
5 | delete_default_routes_on_create = true
6 |
7 | depends_on = [
8 | google_project_service.api
9 | ]
10 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.host-staging
File: /lessons/069/terraform/2-projects.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
2 | resource "google_project" "host-staging" {
3 | name = local.host_project_name
4 | project_id = local.host_project_id
5 | billing_account = local.billing_account
6 | org_id = local.org_id
7 | auto_create_network = false
8 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.k8s-staging
File: /lessons/069/terraform/2-projects.tf:11-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
11 | resource "google_project" "k8s-staging" {
12 | name = local.service_project_name
13 | project_id = local.service_project_id
14 | billing_account = local.billing_account
15 | org_id = local.org_id
16 | auto_create_network = false
17 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.antonputra_host
File: /lessons/148/terraform/1-projects.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
5 | resource "google_project" "antonputra_host" {
6 | name = "antonputra-host"
7 | project_id = "antonputra-host-${random_id.lesson_id.dec}"
8 | billing_account = "01FDA3-9697F3-6F05B8"
9 | org_id = "206720471760"
10 | auto_create_network = false
11 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.antonputra_service
File: /lessons/148/terraform/1-projects.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
13 | resource "google_project" "antonputra_service" {
14 | name = "antonputra-service"
15 | project_id = "antonputra-service-${random_id.lesson_id.dec}"
16 | billing_account = "01FDA3-9697F3-6F05B8"
17 | org_id = "206720471760"
18 | auto_create_network = false
19 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/124/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
1 | resource "aws_dynamodb_table" "meta" {
2 | name = "Meta"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 5
6 | hash_key = "LastModified"
7 |
8 | attribute {
9 | name = "LastModified"
10 | type = "S"
11 | }
12 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/126/terraform/3-dynamodb.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
2 | resource "aws_dynamodb_table" "meta" {
3 | name = "Meta"
4 | billing_mode = "PROVISIONED"
5 | read_capacity = 5
6 | write_capacity = 1000
7 | hash_key = "LastModified"
8 |
9 | attribute {
10 | name = "LastModified"
11 | type = "S"
12 | }
13 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.images
File: /lessons/128/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
1 | resource "aws_dynamodb_table" "images" {
2 | name = "images"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 100
6 | hash_key = "last_modified_date"
7 |
8 | attribute {
9 | name = "last_modified_date"
10 | type = "S"
11 | }
12 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/1-part/3-rds.tf:1-14
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = "root"
13 | password = "devops123"
14 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/2-part/3-rds.tf:1-14
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = var.username
13 | password = var.password
14 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/3-part/3-rds.tf:12-25
12 | resource "aws_db_instance" "mydb" {
13 | db_name = "mydb"
14 | engine = "postgres"
15 | engine_version = "15"
16 | instance_class = "db.t4g.micro"
17 | allocated_storage = 10
18 |
19 | publicly_accessible = true
20 | skip_final_snapshot = true
21 | db_subnet_group_name = aws_db_subnet_group.public.name
22 |
23 | username = local.db_creds.username
24 | password = local.db_creds.password
25 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/5-part/3-rds.tf:11-24
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | publicly_accessible = true
19 | skip_final_snapshot = true
20 | db_subnet_group_name = aws_db_subnet_group.public.name
21 |
22 | username = local.db_creds.username
23 | password = local.db_creds.password
24 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/089/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/089/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/090/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/090/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/091/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/091/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/099/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/099/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/102/terraform/5-routes.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
1 | resource "aws_route_table" "private" {
2 | vpc_id = aws_vpc.main.id
3 |
4 | route = [
5 | {
6 | cidr_block = "0.0.0.0/0"
7 | nat_gateway_id = aws_nat_gateway.nat.id
8 | carrier_gateway_id = ""
9 | destination_prefix_list_id = ""
10 | egress_only_gateway_id = ""
11 | gateway_id = ""
12 | instance_id = ""
13 | ipv6_cidr_block = ""
14 | local_gateway_id = ""
15 | network_interface_id = ""
16 | transit_gateway_id = ""
17 | vpc_endpoint_id = ""
18 | vpc_peering_connection_id = ""
19 | },
20 | ]
21 |
22 | tags = {
23 | Name = "private"
24 | }
25 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/102/terraform/5-routes.tf:27-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
27 | resource "aws_route_table" "public" {
28 | vpc_id = aws_vpc.main.id
29 |
30 | route = [
31 | {
32 | cidr_block = "0.0.0.0/0"
33 | gateway_id = aws_internet_gateway.igw.id
34 | nat_gateway_id = ""
35 | carrier_gateway_id = ""
36 | destination_prefix_list_id = ""
37 | egress_only_gateway_id = ""
38 | instance_id = ""
39 | ipv6_cidr_block = ""
40 | local_gateway_id = ""
41 | network_interface_id = ""
42 | transit_gateway_id = ""
43 | vpc_endpoint_id = ""
44 | vpc_peering_connection_id = ""
45 | },
46 | ]
47 |
48 | tags = {
49 | Name = "public"
50 | }
51 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/104/terraform/4-routes.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
1 | resource "aws_route_table" "public" {
2 | vpc_id = aws_vpc.main.id
3 |
4 | route = [
5 | {
6 | cidr_block = "0.0.0.0/0"
7 | gateway_id = aws_internet_gateway.igw.id
8 | nat_gateway_id = ""
9 | carrier_gateway_id = ""
10 | destination_prefix_list_id = ""
11 | egress_only_gateway_id = ""
12 | instance_id = ""
13 | ipv6_cidr_block = ""
14 | local_gateway_id = ""
15 | network_interface_id = ""
16 | transit_gateway_id = ""
17 | vpc_endpoint_id = ""
18 | vpc_peering_connection_id = ""
19 | },
20 | ]
21 |
22 | tags = {
23 | Name = "public"
24 | }
25 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/105/aws-terraform/5-routes.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
1 | resource "aws_route_table" "private" {
2 | vpc_id = aws_vpc.main.id
3 |
4 | route = [
5 | {
6 | cidr_block = "0.0.0.0/0"
7 | nat_gateway_id = aws_nat_gateway.nat.id
8 | carrier_gateway_id = ""
9 | destination_prefix_list_id = ""
10 | egress_only_gateway_id = ""
11 | gateway_id = ""
12 | instance_id = ""
13 | ipv6_cidr_block = ""
14 | local_gateway_id = ""
15 | network_interface_id = ""
16 | transit_gateway_id = ""
17 | vpc_endpoint_id = ""
18 | vpc_peering_connection_id = ""
19 | },
20 | ]
21 |
22 | tags = {
23 | Name = "private"
24 | }
25 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/105/aws-terraform/5-routes.tf:27-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
27 | resource "aws_route_table" "public" {
28 | vpc_id = aws_vpc.main.id
29 |
30 | route = [
31 | {
32 | cidr_block = "0.0.0.0/0"
33 | gateway_id = aws_internet_gateway.igw.id
34 | nat_gateway_id = ""
35 | carrier_gateway_id = ""
36 | destination_prefix_list_id = ""
37 | egress_only_gateway_id = ""
38 | instance_id = ""
39 | ipv6_cidr_block = ""
40 | local_gateway_id = ""
41 | network_interface_id = ""
42 | transit_gateway_id = ""
43 | vpc_endpoint_id = ""
44 | vpc_peering_connection_id = ""
45 | },
46 | ]
47 |
48 | tags = {
49 | Name = "public"
50 | }
51 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat1
File: /lessons/038/terraform/eips.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
5 | resource "aws_eip" "nat1" {
6 | # EIP may require IGW to exist prior to association.
7 | # Use depends_on to set an explicit dependency on the IGW.
8 | depends_on = [aws_internet_gateway.main]
9 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat2
File: /lessons/038/terraform/eips.tf:11-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
11 | resource "aws_eip" "nat2" {
12 | # EIP may require IGW to exist prior to association.
13 | # Use depends_on to set an explicit dependency on the IGW.
14 | depends_on = [aws_internet_gateway.main]
15 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/020/main.tf:8-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
8 | resource "aws_vpc" "main" {
9 | cidr_block = "10.0.0.0/18"
10 |
11 | tags = {
12 | Name = "main"
13 | }
14 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/038/terraform/vpc.tf:4-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "main" {
5 | # The CIDR block for the VPC.
6 | cidr_block = "192.168.0.0/16"
7 |
8 | # Makes your instances shared on the host.
9 | instance_tenancy = "default"
10 |
11 | # Required for EKS. Enable/disable DNS support in the VPC.
12 | enable_dns_support = true
13 |
14 | # Required for EKS. Enable/disable DNS hostnames in the VPC.
15 | enable_dns_hostnames = true
16 |
17 | # Enable/disable ClassicLink for the VPC.
18 | enable_classiclink = false
19 |
20 | # Enable/disable ClassicLink DNS Support for the VPC.
21 | enable_classiclink_dns_support = false
22 |
23 | # Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
24 | assign_generated_ipv6_cidr_block = false
25 |
26 | # A map of tags to assign to the resource.
27 | tags = {
28 | Name = "main"
29 | }
30 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/089/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/090/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/091/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/099/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/102/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/104/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/105/aws-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/112/terraform/1-vpc.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_hostnames = true
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/113/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/114/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/116/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/118/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/119/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/121/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/122/terraform/1-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 |
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/127/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/130/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/131/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/133/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/134/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/135/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/136/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/138/terraform/01-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/139/0-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/140/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/142/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/143/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/144/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/145/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/146/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/147/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/149/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/150/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/151/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/152/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/153/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/154/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/155/eks-terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/156/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.this
File: /lessons/160/git-infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/dev/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "dev-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/staging/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "staging-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc.aws_vpc.this
File: /lessons/160/infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/0-intro/declarative.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "staging-main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/1-count/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/2-for_each/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/2-conditionals/2-if-else/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpcs.aws_vpc.main
File: /lessons/161/modules/vpc/main.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpcs.aws_vpc.database[0]
File: /lessons/161/modules/vpc/main.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
9 | resource "aws_vpc" "database" {
10 | count = var.enable_database_vpc ? 1 : 0
11 |
12 | cidr_block = "10.1.0.0/16"
13 |
14 | tags = {
15 | Name = "database"
16 | }
17 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/175/terraform/2-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${local.env}-main"
9 | }
10 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.app
File: /lessons/063/main.tf:77-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
77 | resource "aws_lb_listener" "app" {
78 | load_balancer_arn = aws_lb.app.arn
79 | port = "80"
80 | protocol = "HTTP"
81 |
82 | default_action {
83 | type = "forward"
84 | # target_group_arn = aws_lb_target_group.blue.arn
85 | forward {
86 | target_group {
87 | arn = aws_lb_target_group.blue.arn
88 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "blue", 100)
89 | }
90 |
91 | target_group {
92 | arn = aws_lb_target_group.green.arn
93 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "green", 0)
94 | }
95 |
96 | stickiness {
97 | enabled = false
98 | duration = 1
99 | }
100 | }
101 | }
102 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http_eg1
File: /lessons/127/terraform/6-example-1.tf:145-154
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
145 | resource "aws_lb_listener" "http_eg1" {
146 | load_balancer_arn = aws_lb.my_app_eg1.arn
147 | port = "80"
148 | protocol = "HTTP"
149 |
150 | default_action {
151 | type = "forward"
152 | target_group_arn = aws_lb_target_group.my_app_eg1.arn
153 | }
154 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.my_app_eg2_tls
File: /lessons/127/terraform/7-example-2.tf:218-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
218 | resource "aws_lb_listener" "my_app_eg2_tls" {
219 | load_balancer_arn = aws_lb.my_app_eg2.arn
220 | port = "443"
221 | protocol = "HTTPS"
222 | certificate_arn = aws_acm_certificate.api.arn
223 | ssl_policy = "ELBSecurityPolicy-2016-08"
224 |
225 | default_action {
226 | type = "forward"
227 | target_group_arn = aws_lb_target_group.my_app_eg2.arn
228 | }
229 |
230 | depends_on = [aws_acm_certificate_validation.api]
231 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http
File: /lessons/164/main.tf:87-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
87 | resource "aws_lb_listener" "http" {
88 | load_balancer_arn = aws_lb.example.arn
89 | port = 80
90 | protocol = "HTTP"
91 |
92 | # By default, it just shows a simple 404 page
93 | default_action {
94 | type = "fixed-response"
95 |
96 | fixed_response {
97 | content_type = "text/plain"
98 | message_body = "404: page not found"
99 | status_code = 404
100 | }
101 | }
102 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/116/terraform/9-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = aws_vpc.main.id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.web
File: /lessons/161/1-loop/1-count/sg.tf:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "web" {
2 | name = "allow-web-access"
3 | vpc_id = aws_vpc.main.id
4 |
5 | ingress {
6 | from_port = 80
7 | to_port = 80
8 | protocol = "tcp"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 443
14 | to_port = 443
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/167/terraform/12-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = module.vpc.vpc_id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.devops
File: /lessons/020/main.tf:163-166
163 | resource "aws_route53_zone" "devops" {
164 | name = "devopsbyexample.io"
165 | comment = ""
166 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/144/terraform/14.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/145/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra_pvt
File: /lessons/146/terraform/14.dns.tf:2-8
2 | resource "aws_route53_zone" "antonputra_pvt" {
3 | name = "antonputra.pvt"
4 |
5 | vpc {
6 | vpc_id = aws_vpc.main.id
7 | }
8 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/147/terraform/13-private-dns.tf:8-14
8 | resource "aws_route53_zone" "private" {
9 | name = local.private_route53_zone
10 |
11 | vpc {
12 | vpc_id = aws_vpc.main.id
13 | }
14 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/149/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/150/terraform/13-private-dns.tf:7-13
7 | resource "aws_route53_zone" "private" {
8 | name = local.private_route53_zone
9 |
10 | vpc {
11 | vpc_id = aws_vpc.main.id
12 | }
13 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/151/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/153/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/1-part/3-rds.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = "root"
13 | password = "devops123"
14 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/2-part/3-rds.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = var.username
13 | password = var.password
14 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/3-part/3-rds.tf:12-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
12 | resource "aws_db_instance" "mydb" {
13 | db_name = "mydb"
14 | engine = "postgres"
15 | engine_version = "15"
16 | instance_class = "db.t4g.micro"
17 | allocated_storage = 10
18 |
19 | publicly_accessible = true
20 | skip_final_snapshot = true
21 | db_subnet_group_name = aws_db_subnet_group.public.name
22 |
23 | username = local.db_creds.username
24 | password = local.db_creds.password
25 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/5-part/3-rds.tf:11-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | publicly_accessible = true
19 | skip_final_snapshot = true
20 | db_subnet_group_name = aws_db_subnet_group.public.name
21 |
22 | username = local.db_creds.username
23 | password = local.db_creds.password
24 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.green
File: /lessons/063/green.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
3 | resource "aws_instance" "green" {
4 | count = var.enable_green_env ? var.green_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "green version 1.1 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "green version 1.1 - ${count.index}"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/146/terraform/10-nginx-ec2.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "nginx" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.small"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.proxy.id
10 | ]
11 |
12 | tags = {
13 | Name = "nginx.antonputra.pvt"
14 | service = "nginx"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.apache
File: /lessons/146/terraform/11-apache-ec2.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "apache" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.small"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.proxy.id
10 | ]
11 |
12 | tags = {
13 | Name = "apache.antonputra.pvt"
14 | service = "apache"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/146/terraform/13-client.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "client" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.xlarge"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.client.id
10 | ]
11 |
12 | tags = {
13 | Name = "client.antonputra.pvt"
14 | service = "client"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myapp
File: /lessons/146/terraform/9-myapp-ec2.tf:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "myapp" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.large"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.myapp.id
10 | ]
11 |
12 | tags = {
13 | Name = "myapp-000.antonputra.pvt"
14 | service = "myapp"
15 | node-exporter = "true"
16 | rust-exporter = "true"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/147/terraform/15-client.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "client" {
39 | ami = data.aws_ami.ubuntu_jammy.id
40 | key_name = "devops"
41 | instance_type = "t3a.xlarge"
42 | subnet_id = aws_subnet.public_us_east_1a.id
43 |
44 | vpc_security_group_ids = [
45 | aws_security_group.client.id
46 | ]
47 |
48 | tags = {
49 | Name = "client.antonputra.pvt"
50 | service = "client"
51 | node-exporter = "true"
52 | }
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/149/terraform/15-client.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "client" {
39 | ami = data.aws_ami.ubuntu_jammy.id
40 | key_name = "devops"
41 | instance_type = "t3a.xlarge"
42 | subnet_id = aws_subnet.public_us_east_1a.id
43 |
44 | vpc_security_group_ids = [
45 | aws_security_group.client.id
46 | ]
47 |
48 | tags = {
49 | Name = "client.antonputra.pvt"
50 | service = "client"
51 | node-exporter = "true"
52 | }
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/150/terraform/15-client.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "client" {
39 | ami = data.aws_ami.ubuntu_jammy.id
40 | key_name = "devops"
41 | instance_type = "t3a.xlarge"
42 | subnet_id = aws_subnet.public_us_east_1a.id
43 |
44 | vpc_security_group_ids = [
45 | aws_security_group.client.id
46 | ]
47 |
48 | tags = {
49 | Name = "client.antonputra.pvt"
50 | service = "client"
51 | node-exporter = "true"
52 | }
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.envoy
File: /lessons/151/terraform/10-envoy.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "envoy" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "envoy"
14 | service = "envoy"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/151/terraform/11-nginx.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "nginx" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "nginx"
14 | service = "nginx"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myapp
File: /lessons/151/terraform/8-myapp.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "myapp" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.xlarge"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.myapp.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "myapp"
14 | service = "myapp"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.caddy
File: /lessons/153/terraform/10-caddy.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "caddy" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "caddy"
14 | service = "caddy"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.traefik
File: /lessons/153/terraform/11-traefik.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "traefik" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "traefik"
14 | service = "traefik"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myapp
File: /lessons/153/terraform/8-myapp.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "myapp" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.xlarge"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.myapp.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "myapp"
14 | service = "myapp"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/161/0-intro/copy-paste.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "nginx" {
2 | ami = "ami-0f35953afaa5c8c60"
3 | instance_type = "t3.micro"
4 |
5 | tags = {
6 | Name = "staging-nginx"
7 | }
8 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx_2
File: /lessons/161/0-intro/copy-paste.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
10 | resource "aws_instance" "nginx_2" {
11 | ami = "ami-0f35953afaa5c8c60"
12 | instance_type = "t3.micro"
13 |
14 | tags = {
15 | Name = "staging-nginx"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/161/0-intro/declarative.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
9 | resource "aws_instance" "nginx" {
10 | ami = "ami-0f35953afaa5c8c60"
11 | instance_type = "t3.micro"
12 |
13 | tags = {
14 | Name = "staging-nginx"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web["nginx-0"]
File: /lessons/161/1-loop/2-for_each/ec2.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
14 | resource "aws_instance" "web" {
15 | for_each = local.web_servers
16 |
17 | ami = "ami-1234567890"
18 | instance_type = each.value.instance_type
19 | availability_zone = each.value.availability_zone
20 |
21 | tags = {
22 | Name = each.key
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web["nginx-1"]
File: /lessons/161/1-loop/2-for_each/ec2.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
14 | resource "aws_instance" "web" {
15 | for_each = local.web_servers
16 |
17 | ami = "ami-1234567890"
18 | instance_type = each.value.instance_type
19 | availability_zone = each.value.availability_zone
20 |
21 | tags = {
22 | Name = each.key
23 | }
24 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/020/main.tf:8-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
8 | resource "aws_vpc" "main" {
9 | cidr_block = "10.0.0.0/18"
10 |
11 | tags = {
12 | Name = "main"
13 | }
14 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/038/terraform/vpc.tf:4-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "main" {
5 | # The CIDR block for the VPC.
6 | cidr_block = "192.168.0.0/16"
7 |
8 | # Makes your instances shared on the host.
9 | instance_tenancy = "default"
10 |
11 | # Required for EKS. Enable/disable DNS support in the VPC.
12 | enable_dns_support = true
13 |
14 | # Required for EKS. Enable/disable DNS hostnames in the VPC.
15 | enable_dns_hostnames = true
16 |
17 | # Enable/disable ClassicLink for the VPC.
18 | enable_classiclink = false
19 |
20 | # Enable/disable ClassicLink DNS Support for the VPC.
21 | enable_classiclink_dns_support = false
22 |
23 | # Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
24 | assign_generated_ipv6_cidr_block = false
25 |
26 | # A map of tags to assign to the resource.
27 | tags = {
28 | Name = "main"
29 | }
30 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/089/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/090/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/091/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/099/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/102/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/104/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/105/aws-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/112/terraform/1-vpc.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_hostnames = true
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/113/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/114/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/116/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/118/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/119/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/121/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/122/terraform/1-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 |
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/127/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/130/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/131/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/133/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/134/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/135/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/136/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/138/terraform/01-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/139/0-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/140/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/142/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/143/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/144/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/145/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/146/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/147/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/149/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/150/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/151/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/152/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/153/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/154/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/155/eks-terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/156/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.this
File: /lessons/160/git-infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/dev/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "dev-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/staging/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "staging-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc.aws_vpc.this
File: /lessons/160/infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/0-intro/declarative.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "staging-main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/1-count/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/2-for_each/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/2-conditionals/2-if-else/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpcs.aws_vpc.main
File: /lessons/161/modules/vpc/main.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpcs.aws_vpc.database[0]
File: /lessons/161/modules/vpc/main.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
9 | resource "aws_vpc" "database" {
10 | count = var.enable_database_vpc ? 1 : 0
11 |
12 | cidr_block = "10.1.0.0/16"
13 |
14 | tags = {
15 | Name = "database"
16 | }
17 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/175/terraform/2-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${local.env}-main"
9 | }
10 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.devops
File: /lessons/020/main.tf:163-166
163 | resource "aws_route53_zone" "devops" {
164 | name = "devopsbyexample.io"
165 | comment = ""
166 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/144/terraform/14.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/145/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra_pvt
File: /lessons/146/terraform/14.dns.tf:2-8
2 | resource "aws_route53_zone" "antonputra_pvt" {
3 | name = "antonputra.pvt"
4 |
5 | vpc {
6 | vpc_id = aws_vpc.main.id
7 | }
8 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/147/terraform/13-private-dns.tf:8-14
8 | resource "aws_route53_zone" "private" {
9 | name = local.private_route53_zone
10 |
11 | vpc {
12 | vpc_id = aws_vpc.main.id
13 | }
14 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/149/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/150/terraform/13-private-dns.tf:7-13
7 | resource "aws_route53_zone" "private" {
8 | name = local.private_route53_zone
9 |
10 | vpc {
11 | vpc_id = aws_vpc.main.id
12 | }
13 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/151/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/153/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
cloudformation scan results:
Passed checks: 12, Failed checks: 18, Skipped checks: 0, Parsing errors: 2
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: AWS::Serverless::Function.APIFunction
File: /lessons/075/sam/template.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
10 | APIFunction:
11 | Type: AWS::Serverless::Function
12 | Properties:
13 | Runtime: nodejs14.x
14 | Handler: function.lambdaHandler
15 | CodeUri: api/
16 | Timeout: 3
17 | Events:
18 | Hello:
19 | Type: Api
20 | Properties:
21 | Path: /hello
22 | Method: POST
23 | RestApiId:
24 | Ref: HelloAPI
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: AWS::Serverless::Function.APIFunction
File: /lessons/075/sam/template.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
10 | APIFunction:
11 | Type: AWS::Serverless::Function
12 | Properties:
13 | Runtime: nodejs14.x
14 | Handler: function.lambdaHandler
15 | CodeUri: api/
16 | Timeout: 3
17 | Events:
18 | Hello:
19 | Type: Api
20 | Properties:
21 | Path: /hello
22 | Method: POST
23 | RestApiId:
24 | Ref: HelloAPI
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: AWS::Serverless::Function.APIFunction
File: /lessons/075/sam/template.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
10 | APIFunction:
11 | Type: AWS::Serverless::Function
12 | Properties:
13 | Runtime: nodejs14.x
14 | Handler: function.lambdaHandler
15 | CodeUri: api/
16 | Timeout: 3
17 | Events:
18 | Hello:
19 | Type: Api
20 | Properties:
21 | Path: /hello
22 | Method: POST
23 | RestApiId:
24 | Ref: HelloAPI
Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
FAILED for resource: AWS::Serverless::Api.HelloAPI
File: /lessons/075/sam/template.yaml:26-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-api-gateway-caching-is-enabled.html
26 | HelloAPI:
27 | Type: AWS::Serverless::Api
28 | Properties:
29 | StageName: staging
30 | OpenApiVersion: 3.0.3
Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
FAILED for resource: AWS::Serverless::Api.HelloAPI
File: /lessons/075/sam/template.yaml:26-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-15.html
26 | HelloAPI:
27 | Type: AWS::Serverless::Api
28 | Properties:
29 | StageName: staging
30 | OpenApiVersion: 3.0.3
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: AWS::Serverless::Api.HelloAPI
File: /lessons/075/sam/template.yaml:26-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
26 | HelloAPI:
27 | Type: AWS::Serverless::Api
28 | Properties:
29 | StageName: staging
30 | OpenApiVersion: 3.0.3
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: AWS::Serverless::Function.S3Function
File: /lessons/075/sam/template.yaml:32-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
32 | S3Function:
33 | Type: AWS::Serverless::Function
34 | Properties:
35 | Runtime: nodejs14.x
36 | Handler: function.lambdaHandler
37 | CodeUri: s3/
38 | Timeout: 60
39 | Policies: AWSLambdaExecute
40 | Events:
41 | PrintEvent:
42 | Type: S3
43 | Properties:
44 | Bucket: !Ref ExampleBucket
45 | Events: s3:ObjectCreated:*
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: AWS::Serverless::Function.S3Function
File: /lessons/075/sam/template.yaml:32-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
32 | S3Function:
33 | Type: AWS::Serverless::Function
34 | Properties:
35 | Runtime: nodejs14.x
36 | Handler: function.lambdaHandler
37 | CodeUri: s3/
38 | Timeout: 60
39 | Policies: AWSLambdaExecute
40 | Events:
41 | PrintEvent:
42 | Type: S3
43 | Properties:
44 | Bucket: !Ref ExampleBucket
45 | Events: s3:ObjectCreated:*
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: AWS::Serverless::Function.S3Function
File: /lessons/075/sam/template.yaml:32-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
32 | S3Function:
33 | Type: AWS::Serverless::Function
34 | Properties:
35 | Runtime: nodejs14.x
36 | Handler: function.lambdaHandler
37 | CodeUri: s3/
38 | Timeout: 60
39 | Policies: AWSLambdaExecute
40 | Events:
41 | PrintEvent:
42 | Type: S3
43 | Properties:
44 | Bucket: !Ref ExampleBucket
45 | Events: s3:ObjectCreated:*
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-19.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-21.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_21: "Ensure the S3 bucket has versioning enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: AWS::Serverless::Function.SNSFunction
File: /lessons/075/sam/template.yaml:52-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
52 | SNSFunction:
53 | Type: AWS::Serverless::Function
54 | Properties:
55 | PackageType: Image
56 | CodeUri: sns/
57 | Events:
58 | HelloWorld:
59 | Type: SNS
60 | Properties:
61 | Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
62 | Metadata:
63 | Dockerfile: Dockerfile
64 | DockerContext: ./sns
65 | DockerTag: python3.8-v1
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: AWS::Serverless::Function.SNSFunction
File: /lessons/075/sam/template.yaml:52-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
52 | SNSFunction:
53 | Type: AWS::Serverless::Function
54 | Properties:
55 | PackageType: Image
56 | CodeUri: sns/
57 | Events:
58 | HelloWorld:
59 | Type: SNS
60 | Properties:
61 | Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
62 | Metadata:
63 | Dockerfile: Dockerfile
64 | DockerContext: ./sns
65 | DockerTag: python3.8-v1
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: AWS::Serverless::Function.SNSFunction
File: /lessons/075/sam/template.yaml:52-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
52 | SNSFunction:
53 | Type: AWS::Serverless::Function
54 | Properties:
55 | PackageType: Image
56 | CodeUri: sns/
57 | Events:
58 | HelloWorld:
59 | Type: SNS
60 | Properties:
61 | Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
62 | Metadata:
63 | Dockerfile: Dockerfile
64 | DockerContext: ./sns
65 | DockerTag: python3.8-v1
kubernetes scan results:
Passed checks: 26184, Failed checks: 4597, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_16: "Container should not be privileged"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-15.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.local-storage-admin
File: /lessons/099/provisioner/rbac.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: local-storage-admin
6 | namespace: default
7 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.local-provisioner-config
File: /lessons/099/provisioner/configmap.yaml:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: local-provisioner-config
6 | namespace: default
7 | data:
8 | storageClassMap: |
9 | ssd-disks:
10 | hostDir: /mnt/ssd-disks
11 | mountDir: /mnt/ssd-disks
12 | blockCleanerCommand:
13 | - "/scripts/shred.sh"
14 | - "2"
15 | volumeMode: Filesystem
16 | fsType: xfs
17 | namePattern: "*"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 |