Experience Builder


Terraform

< Back

Repository
antonputra / tutorials
Description

DevOps Tutorials

Stars

 1629

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:39:34,859 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:19.10.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,859 [MainThread  ] [WARNI]  Failed to download module github.com/aws-ia/terraform-aws-eks-blueprints?ref=v4.25.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,859 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:3.19.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,860 [MainThread  ] [WARNI]  Failed to download module github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.25.0:2.4.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,860 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:4.0.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,860 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.15.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,860 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:4.0.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,860 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,863 [MainThread  ] [WARNI]  Failed to download module [email protected]:antonputra/terraform-aws-prometheus.git//?ref=v0.0.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,864 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.0.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,864 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,865 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,865 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:5.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,865 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:5.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,866 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,866 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:3.14.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,866 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:18.29.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:39:34,866 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.15.3 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 2617, Failed checks: 1131, Skipped checks: 0, Parsing errors: 1
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.nginx
    	File: /lessons/014/main.tf:13-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		13 | resource "aws_security_group" "nginx" {
    		14 |   name   = "nginx_access"
    		15 |   vpc_id = local.vpc_id
    		16 | 
    		17 |   ingress {
    		18 |     from_port   = 22
    		19 |     to_port     = 22
    		20 |     protocol    = "tcp"
    		21 |     cidr_blocks = ["0.0.0.0/0"]
    		22 |   }
    		23 | 
    		24 |   ingress {
    		25 |     from_port   = 80
    		26 |     to_port     = 80
    		27 |     protocol    = "tcp"
    		28 |     cidr_blocks = ["0.0.0.0/0"]
    		29 |   }
    		30 | 
    		31 |   egress {
    		32 |     from_port   = 0
    		33 |     to_port     = 0
    		34 |     protocol    = "-1"
    		35 |     cidr_blocks = ["0.0.0.0/0"]
    		36 |   }
    		37 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group.nginx
    	File: /lessons/014/main.tf:13-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		13 | resource "aws_security_group" "nginx" {
    		14 |   name   = "nginx_access"
    		15 |   vpc_id = local.vpc_id
    		16 | 
    		17 |   ingress {
    		18 |     from_port   = 22
    		19 |     to_port     = 22
    		20 |     protocol    = "tcp"
    		21 |     cidr_blocks = ["0.0.0.0/0"]
    		22 |   }
    		23 | 
    		24 |   ingress {
    		25 |     from_port   = 80
    		26 |     to_port     = 80
    		27 |     protocol    = "tcp"
    		28 |     cidr_blocks = ["0.0.0.0/0"]
    		29 |   }
    		30 | 
    		31 |   egress {
    		32 |     from_port   = 0
    		33 |     to_port     = 0
    		34 |     protocol    = "-1"
    		35 |     cidr_blocks = ["0.0.0.0/0"]
    		36 |   }
    		37 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.nginx
    	File: /lessons/014/main.tf:13-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		13 | resource "aws_security_group" "nginx" {
    		14 |   name   = "nginx_access"
    		15 |   vpc_id = local.vpc_id
    		16 | 
    		17 |   ingress {
    		18 |     from_port   = 22
    		19 |     to_port     = 22
    		20 |     protocol    = "tcp"
    		21 |     cidr_blocks = ["0.0.0.0/0"]
    		22 |   }
    		23 | 
    		24 |   ingress {
    		25 |     from_port   = 80
    		26 |     to_port     = 80
    		27 |     protocol    = "tcp"
    		28 |     cidr_blocks = ["0.0.0.0/0"]
    		29 |   }
    		30 | 
    		31 |   egress {
    		32 |     from_port   = 0
    		33 |     to_port     = 0
    		34 |     protocol    = "-1"
    		35 |     cidr_blocks = ["0.0.0.0/0"]
    		36 |   }
    		37 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/014/main.tf:39-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		39 | resource "aws_instance" "nginx" {
    		40 |   ami                         = "ami-0dba2cb6798deb6d8"
    		41 |   subnet_id                   = "subnet-060a1ae52cf0a73d6"
    		42 |   instance_type               = "t2.micro"
    		43 |   associate_public_ip_address = true
    		44 |   security_groups             = [aws_security_group.nginx.id]
    		45 |   key_name                    = local.key_name
    		46 | 
    		47 |   provisioner "remote-exec" {
    		48 |     inline = ["echo 'Wait until SSH is ready'"]
    		49 | 
    		50 |     connection {
    		51 |       type        = "ssh"
    		52 |       user        = local.ssh_user
    		53 |       private_key = file(local.private_key_path)
    		54 |       host        = aws_instance.nginx.public_ip
    		55 |     }
    		56 |   }
    		57 |   provisioner "local-exec" {
    		58 |     command = "ansible-playbook  -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		59 |   }
    		60 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/014/main.tf:39-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		39 | resource "aws_instance" "nginx" {
    		40 |   ami                         = "ami-0dba2cb6798deb6d8"
    		41 |   subnet_id                   = "subnet-060a1ae52cf0a73d6"
    		42 |   instance_type               = "t2.micro"
    		43 |   associate_public_ip_address = true
    		44 |   security_groups             = [aws_security_group.nginx.id]
    		45 |   key_name                    = local.key_name
    		46 | 
    		47 |   provisioner "remote-exec" {
    		48 |     inline = ["echo 'Wait until SSH is ready'"]
    		49 | 
    		50 |     connection {
    		51 |       type        = "ssh"
    		52 |       user        = local.ssh_user
    		53 |       private_key = file(local.private_key_path)
    		54 |       host        = aws_instance.nginx.public_ip
    		55 |     }
    		56 |   }
    		57 |   provisioner "local-exec" {
    		58 |     command = "ansible-playbook  -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		59 |   }
    		60 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/014/main.tf:39-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		39 | resource "aws_instance" "nginx" {
    		40 |   ami                         = "ami-0dba2cb6798deb6d8"
    		41 |   subnet_id                   = "subnet-060a1ae52cf0a73d6"
    		42 |   instance_type               = "t2.micro"
    		43 |   associate_public_ip_address = true
    		44 |   security_groups             = [aws_security_group.nginx.id]
    		45 |   key_name                    = local.key_name
    		46 | 
    		47 |   provisioner "remote-exec" {
    		48 |     inline = ["echo 'Wait until SSH is ready'"]
    		49 | 
    		50 |     connection {
    		51 |       type        = "ssh"
    		52 |       user        = local.ssh_user
    		53 |       private_key = file(local.private_key_path)
    		54 |       host        = aws_instance.nginx.public_ip
    		55 |     }
    		56 |   }
    		57 |   provisioner "local-exec" {
    		58 |     command = "ansible-playbook  -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		59 |   }
    		60 | }
    
    Check: CKV_AWS_88: "EC2 instance should not have public IP."
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/014/main.tf:39-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
    
    		39 | resource "aws_instance" "nginx" {
    		40 |   ami                         = "ami-0dba2cb6798deb6d8"
    		41 |   subnet_id                   = "subnet-060a1ae52cf0a73d6"
    		42 |   instance_type               = "t2.micro"
    		43 |   associate_public_ip_address = true
    		44 |   security_groups             = [aws_security_group.nginx.id]
    		45 |   key_name                    = local.key_name
    		46 | 
    		47 |   provisioner "remote-exec" {
    		48 |     inline = ["echo 'Wait until SSH is ready'"]
    		49 | 
    		50 |     connection {
    		51 |       type        = "ssh"
    		52 |       user        = local.ssh_user
    		53 |       private_key = file(local.private_key_path)
    		54 |       host        = aws_instance.nginx.public_ip
    		55 |     }
    		56 |   }
    		57 |   provisioner "local-exec" {
    		58 |     command = "ansible-playbook  -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		59 |   }
    		60 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/014/main.tf:39-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		39 | resource "aws_instance" "nginx" {
    		40 |   ami                         = "ami-0dba2cb6798deb6d8"
    		41 |   subnet_id                   = "subnet-060a1ae52cf0a73d6"
    		42 |   instance_type               = "t2.micro"
    		43 |   associate_public_ip_address = true
    		44 |   security_groups             = [aws_security_group.nginx.id]
    		45 |   key_name                    = local.key_name
    		46 | 
    		47 |   provisioner "remote-exec" {
    		48 |     inline = ["echo 'Wait until SSH is ready'"]
    		49 | 
    		50 |     connection {
    		51 |       type        = "ssh"
    		52 |       user        = local.ssh_user
    		53 |       private_key = file(local.private_key_path)
    		54 |       host        = aws_instance.nginx.public_ip
    		55 |     }
    		56 |   }
    		57 |   provisioner "local-exec" {
    		58 |     command = "ansible-playbook  -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		59 |   }
    		60 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.nginx
    	File: /lessons/020/main.tf:118-145
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		118 | resource "aws_security_group" "nginx" {
    		119 |   name        = "nginx"
    		120 |   description = "Access for Nginx"
    		121 |   vpc_id      = aws_vpc.main.id
    		122 | 
    		123 |   ingress {
    		124 |     description = "Web Access"
    		125 |     from_port   = 80
    		126 |     to_port     = 80
    		127 |     protocol    = "tcp"
    		128 |     cidr_blocks = ["0.0.0.0/0"]
    		129 |   }
    		130 | 
    		131 |   ingress {
    		132 |     description = "SSH Access"
    		133 |     from_port   = 22
    		134 |     to_port     = 22
    		135 |     protocol    = "tcp"
    		136 |     cidr_blocks = ["0.0.0.0/0"]
    		137 |   }
    		138 | 
    		139 |   egress {
    		140 |     from_port   = 0
    		141 |     to_port     = 0
    		142 |     protocol    = "-1"
    		143 |     cidr_blocks = ["0.0.0.0/0"]
    		144 |   }
    		145 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group.nginx
    	File: /lessons/020/main.tf:118-145
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		118 | resource "aws_security_group" "nginx" {
    		119 |   name        = "nginx"
    		120 |   description = "Access for Nginx"
    		121 |   vpc_id      = aws_vpc.main.id
    		122 | 
    		123 |   ingress {
    		124 |     description = "Web Access"
    		125 |     from_port   = 80
    		126 |     to_port     = 80
    		127 |     protocol    = "tcp"
    		128 |     cidr_blocks = ["0.0.0.0/0"]
    		129 |   }
    		130 | 
    		131 |   ingress {
    		132 |     description = "SSH Access"
    		133 |     from_port   = 22
    		134 |     to_port     = 22
    		135 |     protocol    = "tcp"
    		136 |     cidr_blocks = ["0.0.0.0/0"]
    		137 |   }
    		138 | 
    		139 |   egress {
    		140 |     from_port   = 0
    		141 |     to_port     = 0
    		142 |     protocol    = "-1"
    		143 |     cidr_blocks = ["0.0.0.0/0"]
    		144 |   }
    		145 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.nginx
    	File: /lessons/020/main.tf:118-145
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		118 | resource "aws_security_group" "nginx" {
    		119 |   name        = "nginx"
    		120 |   description = "Access for Nginx"
    		121 |   vpc_id      = aws_vpc.main.id
    		122 | 
    		123 |   ingress {
    		124 |     description = "Web Access"
    		125 |     from_port   = 80
    		126 |     to_port     = 80
    		127 |     protocol    = "tcp"
    		128 |     cidr_blocks = ["0.0.0.0/0"]
    		129 |   }
    		130 | 
    		131 |   ingress {
    		132 |     description = "SSH Access"
    		133 |     from_port   = 22
    		134 |     to_port     = 22
    		135 |     protocol    = "tcp"
    		136 |     cidr_blocks = ["0.0.0.0/0"]
    		137 |   }
    		138 | 
    		139 |   egress {
    		140 |     from_port   = 0
    		141 |     to_port     = 0
    		142 |     protocol    = "-1"
    		143 |     cidr_blocks = ["0.0.0.0/0"]
    		144 |   }
    		145 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/020/main.tf:149-158
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		149 | resource "aws_instance" "nginx" {
    		150 |   ami                    = "ami-0dba2cb6798deb6d8"
    		151 |   instance_type          = "t2.micro"
    		152 |   vpc_security_group_ids = [aws_security_group.nginx.id]
    		153 |   key_name               = "devops"
    		154 | 
    		155 |   tags = {
    		156 |     Name = "Nginx"
    		157 |   }
    		158 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/020/main.tf:149-158
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		149 | resource "aws_instance" "nginx" {
    		150 |   ami                    = "ami-0dba2cb6798deb6d8"
    		151 |   instance_type          = "t2.micro"
    		152 |   vpc_security_group_ids = [aws_security_group.nginx.id]
    		153 |   key_name               = "devops"
    		154 | 
    		155 |   tags = {
    		156 |     Name = "Nginx"
    		157 |   }
    		158 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/020/main.tf:149-158
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		149 | resource "aws_instance" "nginx" {
    		150 |   ami                    = "ami-0dba2cb6798deb6d8"
    		151 |   instance_type          = "t2.micro"
    		152 |   vpc_security_group_ids = [aws_security_group.nginx.id]
    		153 |   key_name               = "devops"
    		154 | 
    		155 |   tags = {
    		156 |     Name = "Nginx"
    		157 |   }
    		158 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/020/main.tf:149-158
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		149 | resource "aws_instance" "nginx" {
    		150 |   ami                    = "ami-0dba2cb6798deb6d8"
    		151 |   instance_type          = "t2.micro"
    		152 |   vpc_security_group_ids = [aws_security_group.nginx.id]
    		153 |   key_name               = "devops"
    		154 | 
    		155 |   tags = {
    		156 |     Name = "Nginx"
    		157 |   }
    		158 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/038/terraform/eks.tf:42-74
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		42 | resource "aws_eks_cluster" "eks" {
    		43 |   # Name of the cluster.
    		44 |   name = "eks"
    		45 | 
    		46 |   # The Amazon Resource Name (ARN) of the IAM role that provides permissions for 
    		47 |   # the Kubernetes control plane to make calls to AWS API operations on your behalf
    		48 |   role_arn = aws_iam_role.eks_cluster.arn
    		49 | 
    		50 |   # Desired Kubernetes master version
    		51 |   version = "1.18"
    		52 | 
    		53 |   vpc_config {
    		54 |     # Indicates whether or not the Amazon EKS private API server endpoint is enabled
    		55 |     endpoint_private_access = false
    		56 | 
    		57 |     # Indicates whether or not the Amazon EKS public API server endpoint is enabled
    		58 |     endpoint_public_access = true
    		59 | 
    		60 |     # Must be in at least two different availability zones
    		61 |     subnet_ids = [
    		62 |       aws_subnet.public_1.id,
    		63 |       aws_subnet.public_2.id,
    		64 |       aws_subnet.private_1.id,
    		65 |       aws_subnet.private_2.id
    		66 |     ]
    		67 |   }
    		68 | 
    		69 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		70 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		71 |   depends_on = [
    		72 |     aws_iam_role_policy_attachment.amazon_eks_cluster_policy
    		73 |   ]
    		74 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/038/terraform/eks.tf:42-74
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		42 | resource "aws_eks_cluster" "eks" {
    		43 |   # Name of the cluster.
    		44 |   name = "eks"
    		45 | 
    		46 |   # The Amazon Resource Name (ARN) of the IAM role that provides permissions for 
    		47 |   # the Kubernetes control plane to make calls to AWS API operations on your behalf
    		48 |   role_arn = aws_iam_role.eks_cluster.arn
    		49 | 
    		50 |   # Desired Kubernetes master version
    		51 |   version = "1.18"
    		52 | 
    		53 |   vpc_config {
    		54 |     # Indicates whether or not the Amazon EKS private API server endpoint is enabled
    		55 |     endpoint_private_access = false
    		56 | 
    		57 |     # Indicates whether or not the Amazon EKS public API server endpoint is enabled
    		58 |     endpoint_public_access = true
    		59 | 
    		60 |     # Must be in at least two different availability zones
    		61 |     subnet_ids = [
    		62 |       aws_subnet.public_1.id,
    		63 |       aws_subnet.public_2.id,
    		64 |       aws_subnet.private_1.id,
    		65 |       aws_subnet.private_2.id
    		66 |     ]
    		67 |   }
    		68 | 
    		69 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		70 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		71 |   depends_on = [
    		72 |     aws_iam_role_policy_attachment.amazon_eks_cluster_policy
    		73 |   ]
    		74 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/038/terraform/eks.tf:42-74
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		42 | resource "aws_eks_cluster" "eks" {
    		43 |   # Name of the cluster.
    		44 |   name = "eks"
    		45 | 
    		46 |   # The Amazon Resource Name (ARN) of the IAM role that provides permissions for 
    		47 |   # the Kubernetes control plane to make calls to AWS API operations on your behalf
    		48 |   role_arn = aws_iam_role.eks_cluster.arn
    		49 | 
    		50 |   # Desired Kubernetes master version
    		51 |   version = "1.18"
    		52 | 
    		53 |   vpc_config {
    		54 |     # Indicates whether or not the Amazon EKS private API server endpoint is enabled
    		55 |     endpoint_private_access = false
    		56 | 
    		57 |     # Indicates whether or not the Amazon EKS public API server endpoint is enabled
    		58 |     endpoint_public_access = true
    		59 | 
    		60 |     # Must be in at least two different availability zones
    		61 |     subnet_ids = [
    		62 |       aws_subnet.public_1.id,
    		63 |       aws_subnet.public_2.id,
    		64 |       aws_subnet.private_1.id,
    		65 |       aws_subnet.private_2.id
    		66 |     ]
    		67 |   }
    		68 | 
    		69 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		70 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		71 |   depends_on = [
    		72 |     aws_iam_role_policy_attachment.amazon_eks_cluster_policy
    		73 |   ]
    		74 | }
    
    Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/038/terraform/eks.tf:42-74
    
    		42 | resource "aws_eks_cluster" "eks" {
    		43 |   # Name of the cluster.
    		44 |   name = "eks"
    		45 | 
    		46 |   # The Amazon Resource Name (ARN) of the IAM role that provides permissions for 
    		47 |   # the Kubernetes control plane to make calls to AWS API operations on your behalf
    		48 |   role_arn = aws_iam_role.eks_cluster.arn
    		49 | 
    		50 |   # Desired Kubernetes master version
    		51 |   version = "1.18"
    		52 | 
    		53 |   vpc_config {
    		54 |     # Indicates whether or not the Amazon EKS private API server endpoint is enabled
    		55 |     endpoint_private_access = false
    		56 | 
    		57 |     # Indicates whether or not the Amazon EKS public API server endpoint is enabled
    		58 |     endpoint_public_access = true
    		59 | 
    		60 |     # Must be in at least two different availability zones
    		61 |     subnet_ids = [
    		62 |       aws_subnet.public_1.id,
    		63 |       aws_subnet.public_2.id,
    		64 |       aws_subnet.private_1.id,
    		65 |       aws_subnet.private_2.id
    		66 |     ]
    		67 |   }
    		68 | 
    		69 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		70 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		71 |   depends_on = [
    		72 |     aws_iam_role_policy_attachment.amazon_eks_cluster_policy
    		73 |   ]
    		74 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/038/terraform/eks.tf:42-74
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		42 | resource "aws_eks_cluster" "eks" {
    		43 |   # Name of the cluster.
    		44 |   name = "eks"
    		45 | 
    		46 |   # The Amazon Resource Name (ARN) of the IAM role that provides permissions for 
    		47 |   # the Kubernetes control plane to make calls to AWS API operations on your behalf
    		48 |   role_arn = aws_iam_role.eks_cluster.arn
    		49 | 
    		50 |   # Desired Kubernetes master version
    		51 |   version = "1.18"
    		52 | 
    		53 |   vpc_config {
    		54 |     # Indicates whether or not the Amazon EKS private API server endpoint is enabled
    		55 |     endpoint_private_access = false
    		56 | 
    		57 |     # Indicates whether or not the Amazon EKS public API server endpoint is enabled
    		58 |     endpoint_public_access = true
    		59 | 
    		60 |     # Must be in at least two different availability zones
    		61 |     subnet_ids = [
    		62 |       aws_subnet.public_1.id,
    		63 |       aws_subnet.public_2.id,
    		64 |       aws_subnet.private_1.id,
    		65 |       aws_subnet.private_2.id
    		66 |     ]
    		67 |   }
    		68 | 
    		69 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		70 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		71 |   depends_on = [
    		72 |     aws_iam_role_policy_attachment.amazon_eks_cluster_policy
    		73 |   ]
    		74 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_1
    	File: /lessons/038/terraform/subnets.tf:4-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		4  | resource "aws_subnet" "public_1" {
    		5  |   # The VPC ID.
    		6  |   vpc_id = aws_vpc.main.id
    		7  | 
    		8  |   # The CIDR block for the subnet.
    		9  |   cidr_block = "192.168.0.0/18"
    		10 | 
    		11 |   # The AZ for the subnet.
    		12 |   availability_zone = "us-east-1a"
    		13 | 
    		14 |   # Required for EKS. Instances launched into the subnet should be assigned a public IP address.
    		15 |   map_public_ip_on_launch = true
    		16 | 
    		17 |   # A map of tags to assign to the resource.
    		18 |   tags = {
    		19 |     Name                        = "public-us-east-1a"
    		20 |     "kubernetes.io/cluster/eks" = "shared"
    		21 |     "kubernetes.io/role/elb"    = 1
    		22 |   }
    		23 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_2
    	File: /lessons/038/terraform/subnets.tf:25-44
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public_2" {
    		26 |   # The VPC ID
    		27 |   vpc_id = aws_vpc.main.id
    		28 | 
    		29 |   # The CIDR block for the subnet.
    		30 |   cidr_block = "192.168.64.0/18"
    		31 | 
    		32 |   # The AZ for the subnet.
    		33 |   availability_zone = "us-east-1b"
    		34 | 
    		35 |   # Required for EKS. Instances launched into the subnet should be assigned a public IP address.
    		36 |   map_public_ip_on_launch = true
    		37 | 
    		38 |   # A map of tags to assign to the resource.
    		39 |   tags = {
    		40 |     Name                        = "public-us-east-1b"
    		41 |     "kubernetes.io/cluster/eks" = "shared"
    		42 |     "kubernetes.io/role/elb"    = 1
    		43 |   }
    		44 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.server
    	File: /lessons/040/main.tf:4-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		4  | resource "aws_instance" "server" {
    		5  |   # The AMI to use for the instance.
    		6  |   ami = var.ami
    		7  | 
    		8  |   # The type of instance to start.
    		9  |   instance_type = "t2.micro"
    		10 | 
    		11 |   lifecycle {
    		12 |     create_before_destroy = true
    		13 |     ignore_changes        = [tags]
    		14 |   }
    		15 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.server
    	File: /lessons/040/main.tf:4-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		4  | resource "aws_instance" "server" {
    		5  |   # The AMI to use for the instance.
    		6  |   ami = var.ami
    		7  | 
    		8  |   # The type of instance to start.
    		9  |   instance_type = "t2.micro"
    		10 | 
    		11 |   lifecycle {
    		12 |     create_before_destroy = true
    		13 |     ignore_changes        = [tags]
    		14 |   }
    		15 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.server
    	File: /lessons/040/main.tf:4-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		4  | resource "aws_instance" "server" {
    		5  |   # The AMI to use for the instance.
    		6  |   ami = var.ami
    		7  | 
    		8  |   # The type of instance to start.
    		9  |   instance_type = "t2.micro"
    		10 | 
    		11 |   lifecycle {
    		12 |     create_before_destroy = true
    		13 |     ignore_changes        = [tags]
    		14 |   }
    		15 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.server
    	File: /lessons/040/main.tf:4-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		4  | resource "aws_instance" "server" {
    		5  |   # The AMI to use for the instance.
    		6  |   ami = var.ami
    		7  | 
    		8  |   # The type of instance to start.
    		9  |   instance_type = "t2.micro"
    		10 | 
    		11 |   lifecycle {
    		12 |     create_before_destroy = true
    		13 |     ignore_changes        = [tags]
    		14 |   }
    		15 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.ubuntu
    	File: /lessons/053/infra-2/main.tf:20-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		20 | resource "aws_instance" "ubuntu" {
    		21 |   ami           = "ami-013f17f36f8b1fefb"
    		22 |   instance_type = "t3.micro"
    		23 |   subnet_id     = "subnet-07fc2d0816e1f6100"
    		24 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.ubuntu
    	File: /lessons/053/infra-2/main.tf:20-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		20 | resource "aws_instance" "ubuntu" {
    		21 |   ami           = "ami-013f17f36f8b1fefb"
    		22 |   instance_type = "t3.micro"
    		23 |   subnet_id     = "subnet-07fc2d0816e1f6100"
    		24 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.ubuntu
    	File: /lessons/053/infra-2/main.tf:20-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		20 | resource "aws_instance" "ubuntu" {
    		21 |   ami           = "ami-013f17f36f8b1fefb"
    		22 |   instance_type = "t3.micro"
    		23 |   subnet_id     = "subnet-07fc2d0816e1f6100"
    		24 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.ubuntu
    	File: /lessons/053/infra-2/main.tf:20-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		20 | resource "aws_instance" "ubuntu" {
    		21 |   ami           = "ami-013f17f36f8b1fefb"
    		22 |   instance_type = "t3.micro"
    		23 |   subnet_id     = "subnet-07fc2d0816e1f6100"
    		24 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.blue[0]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.blue[0]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.blue[0]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.blue[0]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
    	FAILED for resource: aws_lb_target_group.blue
    	File: /lessons/063/blue.tf:22-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
    
    		22 | resource "aws_lb_target_group" "blue" {
    		23 |   name     = "blue-tg-blue-lb"
    		24 |   port     = 80
    		25 |   protocol = "HTTP"
    		26 |   vpc_id   = local.vpc_id
    		27 | 
    		28 |   health_check {
    		29 |     port     = 80
    		30 |     protocol = "HTTP"
    		31 |     timeout  = 5
    		32 |     interval = 10
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.blue[1]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.blue[1]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.blue[1]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.blue[1]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
    	FAILED for resource: aws_lb_target_group.green
    	File: /lessons/063/green.tf:22-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
    
    		22 | resource "aws_lb_target_group" "green" {
    		23 |   name     = "green-tg-green-lb"
    		24 |   port     = 80
    		25 |   protocol = "HTTP"
    		26 |   vpc_id   = local.vpc_id
    		27 | 
    		28 |   health_check {
    		29 |     port     = 80
    		30 |     protocol = "HTTP"
    		31 |     timeout  = 5
    		32 |     interval = 10
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.web
    	File: /lessons/063/main.tf:40-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		40 | resource "aws_security_group" "web" {
    		41 |   name        = "web-sg"
    		42 |   description = "Security group for web-servers with HTTP ports open within VPC"
    		43 |   vpc_id      = local.vpc_id
    		44 | 
    		45 |   ingress {
    		46 |     from_port   = 80
    		47 |     to_port     = 80
    		48 |     protocol    = "tcp"
    		49 |     cidr_blocks = ["0.0.0.0/0"]
    		50 |   }
    		51 | 
    		52 |   egress {
    		53 |     from_port        = 0
    		54 |     to_port          = 0
    		55 |     protocol         = "-1"
    		56 |     cidr_blocks      = ["0.0.0.0/0"]
    		57 |     ipv6_cidr_blocks = ["::/0"]
    		58 |   }
    		59 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group.web
    	File: /lessons/063/main.tf:40-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		40 | resource "aws_security_group" "web" {
    		41 |   name        = "web-sg"
    		42 |   description = "Security group for web-servers with HTTP ports open within VPC"
    		43 |   vpc_id      = local.vpc_id
    		44 | 
    		45 |   ingress {
    		46 |     from_port   = 80
    		47 |     to_port     = 80
    		48 |     protocol    = "tcp"
    		49 |     cidr_blocks = ["0.0.0.0/0"]
    		50 |   }
    		51 | 
    		52 |   egress {
    		53 |     from_port        = 0
    		54 |     to_port          = 0
    		55 |     protocol         = "-1"
    		56 |     cidr_blocks      = ["0.0.0.0/0"]
    		57 |     ipv6_cidr_blocks = ["::/0"]
    		58 |   }
    		59 | }
    
    Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
    	FAILED for resource: aws_lb.app
    	File: /lessons/063/main.tf:64-73
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
    
    		64 | resource "aws_lb" "app" {
    		65 |   name               = "app-lb"
    		66 |   internal           = false
    		67 |   load_balancer_type = "application"
    		68 |   subnets = [
    		69 |     local.public_a_subnet_id,
    		70 |     local.public_b_subnet_id
    		71 |   ]
    		72 |   security_groups = [aws_security_group.web.id]
    		73 | }
    
    Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
    	FAILED for resource: aws_lb.app
    	File: /lessons/063/main.tf:64-73
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
    
    		64 | resource "aws_lb" "app" {
    		65 |   name               = "app-lb"
    		66 |   internal           = false
    		67 |   load_balancer_type = "application"
    		68 |   subnets = [
    		69 |     local.public_a_subnet_id,
    		70 |     local.public_b_subnet_id
    		71 |   ]
    		72 |   security_groups = [aws_security_group.web.id]
    		73 | }
    
    Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
    	FAILED for resource: aws_lb.app
    	File: /lessons/063/main.tf:64-73
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
    
    		64 | resource "aws_lb" "app" {
    		65 |   name               = "app-lb"
    		66 |   internal           = false
    		67 |   load_balancer_type = "application"
    		68 |   subnets = [
    		69 |     local.public_a_subnet_id,
    		70 |     local.public_b_subnet_id
    		71 |   ]
    		72 |   security_groups = [aws_security_group.web.id]
    		73 | }
    
    Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
    	FAILED for resource: aws_lb_listener.app
    	File: /lessons/063/main.tf:77-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
    
    		77  | resource "aws_lb_listener" "app" {
    		78  |   load_balancer_arn = aws_lb.app.arn
    		79  |   port              = "80"
    		80  |   protocol          = "HTTP"
    		81  | 
    		82  |   default_action {
    		83  |     type = "forward"
    		84  |     # target_group_arn = aws_lb_target_group.blue.arn
    		85  |     forward {
    		86  |       target_group {
    		87  |         arn    = aws_lb_target_group.blue.arn
    		88  |         weight = lookup(local.traffic_dist_map[var.traffic_distribution], "blue", 100)
    		89  |       }
    		90  | 
    		91  |       target_group {
    		92  |         arn    = aws_lb_target_group.green.arn
    		93  |         weight = lookup(local.traffic_dist_map[var.traffic_distribution], "green", 0)
    		94  |       }
    		95  | 
    		96  |       stickiness {
    		97  |         enabled  = false
    		98  |         duration = 1
    		99  |       }
    		100 |     }
    		101 |   }
    		102 | }
    
    Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
    	FAILED for resource: google_compute_subnetwork.private
    	File: /lessons/069/terraform/3-vpc.tf:11-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
    
    		11 | resource "google_compute_subnetwork" "private" {
    		12 |   name                     = "private"
    		13 |   project                  = google_compute_shared_vpc_host_project.host.project
    		14 |   ip_cidr_range            = "10.5.0.0/20"
    		15 |   region                   = local.region
    		16 |   network                  = google_compute_network.main.self_link
    		17 |   private_ip_google_access = true
    		18 | 
    		19 |   # secondary_ip_range {
    		20 |   #   range_name    = "pod-ip-range"
    		21 |   #   ip_cidr_range = "10.0.0.0/14"
    		22 |   # }
    		23 | 
    		24 |   # secondary_ip_range {
    		25 |   #   range_name    = "services-ip-range"
    		26 |   #   ip_cidr_range = "10.4.0.0/19"
    		27 |   # }
    		28 | 
    		29 |   dynamic "secondary_ip_range" {
    		30 |     for_each = local.secondary_ip_ranges
    		31 | 
    		32 |     content {
    		33 |       range_name    = secondary_ip_range.key
    		34 |       ip_cidr_range = secondary_ip_range.value
    		35 |     }
    		36 |   }
    		37 | }
    Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
    	FAILED for resource: google_compute_subnetwork.private
    	File: /lessons/069/terraform/3-vpc.tf:11-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
    
    		11 | resource "google_compute_subnetwork" "private" {
    		12 |   name                     = "private"
    		13 |   project                  = google_compute_shared_vpc_host_project.host.project
    		14 |   ip_cidr_range            = "10.5.0.0/20"
    		15 |   region                   = local.region
    		16 |   network                  = google_compute_network.main.self_link
    		17 |   private_ip_google_access = true
    		18 | 
    		19 |   # secondary_ip_range {
    		20 |   #   range_name    = "pod-ip-range"
    		21 |   #   ip_cidr_range = "10.0.0.0/14"
    		22 |   # }
    		23 | 
    		24 |   # secondary_ip_range {
    		25 |   #   range_name    = "services-ip-range"
    		26 |   #   ip_cidr_range = "10.4.0.0/19"
    		27 |   # }
    		28 | 
    		29 |   dynamic "secondary_ip_range" {
    		30 |     for_each = local.secondary_ip_ranges
    		31 | 
    		32 |     content {
    		33 |       range_name    = secondary_ip_range.key
    		34 |       ip_cidr_range = secondary_ip_range.value
    		35 |     }
    		36 |   }
    		37 | }
    Check: CKV_GCP_66: "Ensure use of Binary Authorization"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_20: "Ensure master authorized networks is set to enabled in GKE clusters"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-12.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_13: "Ensure client certificate authentication to Kubernetes Engine Clusters is disabled"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-8.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
    	FAILED for resource: google_container_cluster.gke
    	File: /lessons/069/terraform/7-kubernetes.tf:9-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
    
    		9  | resource "google_container_cluster" "gke" {
    		10 |   name     = "gke"
    		11 |   location = local.region
    		12 |   project  = local.service_project_id
    		13 | 
    		14 |   networking_mode = "VPC_NATIVE"
    		15 |   network         = google_compute_network.main.self_link
    		16 |   subnetwork      = google_compute_subnetwork.private.self_link
    		17 | 
    		18 |   remove_default_node_pool = true
    		19 |   initial_node_count       = 1
    		20 | 
    		21 |   release_channel {
    		22 |     channel = "REGULAR"
    		23 |   }
    		24 | 
    		25 |   ip_allocation_policy {
    		26 |     cluster_secondary_range_name  = "pod-ip-range"
    		27 |     services_secondary_range_name = "services-ip-range"
    		28 |   }
    		29 | 
    		30 |   network_policy {
    		31 |     provider = "PROVIDER_UNSPECIFIED"
    		32 |     enabled  = true
    		33 |   }
    		34 | 
    		35 |   private_cluster_config {
    		36 |     enable_private_endpoint = false
    		37 |     enable_private_nodes    = true
    		38 |     master_ipv4_cidr_block  = "172.16.0.0/28"
    		39 |   }
    		40 | 
    		41 |   workload_identity_config {
    		42 |     identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
    		43 |   }
    		44 | 
    		45 | }
    
    Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
    	FAILED for resource: google_container_node_pool.general
    	File: /lessons/069/terraform/7-kubernetes.tf:47-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
    
    		47 | resource "google_container_node_pool" "general" {
    		48 |   name       = "general"
    		49 |   location   = local.region
    		50 |   cluster    = google_container_cluster.gke.name
    		51 |   project    = local.service_project_id
    		52 |   node_count = 1
    		53 | 
    		54 |   management {
    		55 |     auto_repair  = true
    		56 |     auto_upgrade = true
    		57 |   }
    		58 | 
    		59 |   node_config {
    		60 |     labels = {
    		61 |       role = "general"
    		62 |     }
    		63 |     machine_type = "e2-medium"
    		64 | 
    		65 |     service_account = google_service_account.k8s-staging.email
    		66 |     oauth_scopes = [
    		67 |       "https://www.googleapis.com/auth/cloud-platform"
    		68 |     ]
    		69 |   }
    		70 | }
    
    Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
    	FAILED for resource: google_container_node_pool.general
    	File: /lessons/069/terraform/7-kubernetes.tf:47-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
    
    		47 | resource "google_container_node_pool" "general" {
    		48 |   name       = "general"
    		49 |   location   = local.region
    		50 |   cluster    = google_container_cluster.gke.name
    		51 |   project    = local.service_project_id
    		52 |   node_count = 1
    		53 | 
    		54 |   management {
    		55 |     auto_repair  = true
    		56 |     auto_upgrade = true
    		57 |   }
    		58 | 
    		59 |   node_config {
    		60 |     labels = {
    		61 |       role = "general"
    		62 |     }
    		63 |     machine_type = "e2-medium"
    		64 | 
    		65 |     service_account = google_service_account.k8s-staging.email
    		66 |     oauth_scopes = [
    		67 |       "https://www.googleapis.com/auth/cloud-platform"
    		68 |     ]
    		69 |   }
    		70 | }
    
    Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
    	FAILED for resource: google_container_node_pool.general
    	File: /lessons/069/terraform/7-kubernetes.tf:47-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
    
    		47 | resource "google_container_node_pool" "general" {
    		48 |   name       = "general"
    		49 |   location   = local.region
    		50 |   cluster    = google_container_cluster.gke.name
    		51 |   project    = local.service_project_id
    		52 |   node_count = 1
    		53 | 
    		54 |   management {
    		55 |     auto_repair  = true
    		56 |     auto_upgrade = true
    		57 |   }
    		58 | 
    		59 |   node_config {
    		60 |     labels = {
    		61 |       role = "general"
    		62 |     }
    		63 |     machine_type = "e2-medium"
    		64 | 
    		65 |     service_account = google_service_account.k8s-staging.email
    		66 |     oauth_scopes = [
    		67 |       "https://www.googleapis.com/auth/cloud-platform"
    		68 |     ]
    		69 |   }
    		70 | }
    
    Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
    	FAILED for resource: google_compute_firewall.lb
    	File: /lessons/069/terraform/8-firewall.tf:1-14
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
    
    		1  | resource "google_compute_firewall" "lb" {
    		2  |   name        = "k8s-fw-abdca8a7bd83f4a84a8fb7a869242967"
    		3  |   network     = google_compute_network.main.name
    		4  |   project     = local.host_project_id
    		5  |   description = "{\"kubernetes.io/service-name\":\"default/nginx\", \"kubernetes.io/service-ip\":\"35.235.121.183\"}"
    		6  | 
    		7  |   allow {
    		8  |     protocol = "tcp"
    		9  |     ports    = ["80"]
    		10 |   }
    		11 | 
    		12 |   source_ranges = ["0.0.0.0/0"]
    		13 |   target_tags   = ["gke-gke-08c5d5fb-node"]
    		14 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/089/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/089/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/089/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/089/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/090/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/090/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/090/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/090/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/091/terraform/3-subnets.tf:27-38
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		27 | resource "aws_subnet" "public-us-east-1a" {
    		28 |   vpc_id                  = aws_vpc.main.id
    		29 |   cidr_block              = "10.0.64.0/19"
    		30 |   availability_zone       = "us-east-1a"
    		31 |   map_public_ip_on_launch = true
    		32 | 
    		33 |   tags = {
    		34 |     "Name"                       = "public-us-east-1a"
    		35 |     "kubernetes.io/role/elb"     = "1"
    		36 |     "kubernetes.io/cluster/demo" = "owned"
    		37 |   }
    		38 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/091/terraform/3-subnets.tf:40-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		40 | resource "aws_subnet" "public-us-east-1b" {
    		41 |   vpc_id                  = aws_vpc.main.id
    		42 |   cidr_block              = "10.0.96.0/19"
    		43 |   availability_zone       = "us-east-1b"
    		44 |   map_public_ip_on_launch = true
    		45 | 
    		46 |   tags = {
    		47 |     "Name"                       = "public-us-east-1b"
    		48 |     "kubernetes.io/role/elb"     = "1"
    		49 |     "kubernetes.io/cluster/demo" = "owned"
    		50 |   }
    		51 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/091/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/091/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/091/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/091/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/099/terraform/3-subnets.tf:27-38
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		27 | resource "aws_subnet" "public-us-east-1a" {
    		28 |   vpc_id                  = aws_vpc.main.id
    		29 |   cidr_block              = "10.0.64.0/19"
    		30 |   availability_zone       = "us-east-1a"
    		31 |   map_public_ip_on_launch = true
    		32 | 
    		33 |   tags = {
    		34 |     "Name"                       = "public-us-east-1a"
    		35 |     "kubernetes.io/role/elb"     = "1"
    		36 |     "kubernetes.io/cluster/demo" = "owned"
    		37 |   }
    		38 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/099/terraform/3-subnets.tf:40-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		40 | resource "aws_subnet" "public-us-east-1b" {
    		41 |   vpc_id                  = aws_vpc.main.id
    		42 |   cidr_block              = "10.0.96.0/19"
    		43 |   availability_zone       = "us-east-1b"
    		44 |   map_public_ip_on_launch = true
    		45 | 
    		46 |   tags = {
    		47 |     "Name"                       = "public-us-east-1b"
    		48 |     "kubernetes.io/role/elb"     = "1"
    		49 |     "kubernetes.io/cluster/demo" = "owned"
    		50 |   }
    		51 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/099/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/099/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/099/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/099/terraform/6-eks.tf:31-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		31 | resource "aws_eks_cluster" "demo" {
    		32 |   name     = "demo"
    		33 |   role_arn = aws_iam_role.demo.arn
    		34 | 
    		35 |   vpc_config {
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
    		45 |   # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
    		46 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		47 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_template.eks-with-disks
    	File: /lessons/099/terraform/7-nodes.tf:70-83
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		70 | resource "aws_launch_template" "eks-with-disks" {
    		71 |   name = "eks-with-disks"
    		72 | 
    		73 |   key_name = "local-provisioner"
    		74 | 
    		75 |   block_device_mappings {
    		76 |     device_name = "/dev/xvdb"
    		77 | 
    		78 |     ebs {
    		79 |       volume_size = 50
    		80 |       volume_type = "gp2"
    		81 |     }
    		82 |   }
    		83 | }
    
    Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
    	FAILED for resource: google_compute_firewall.web
    	File: /lessons/101/2-example.tf:29-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
    
    		29 | resource "google_compute_firewall" "web" {
    		30 |   name    = "web-access"
    		31 |   network = local.network
    		32 | 
    		33 |   allow {
    		34 |     protocol = "tcp"
    		35 |     ports    = ["80"]
    		36 |   }
    		37 | 
    		38 |   source_ranges           = ["0.0.0.0/0"]
    		39 |   target_service_accounts = [google_service_account.nginx.email]
    		40 | }
    
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
    	FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
    	FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
    	FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
    	FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
    	FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
    	FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
    	File: /lessons/101/2-example.tf:42-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
    
    		42 | resource "google_compute_instance" "nginx" {
    		43 |   for_each = local.web_servers
    		44 | 
    		45 |   name         = each.key
    		46 |   machine_type = each.value.machine_type
    		47 |   zone         = each.value.zone
    		48 | 
    		49 |   boot_disk {
    		50 |     initialize_params {
    		51 |       image = local.image
    		52 |     }
    		53 |   }
    		54 | 
    		55 |   network_interface {
    		56 |     network = local.network
    		57 |     access_config {}
    		58 |   }
    		59 | 
    		60 |   service_account {
    		61 |     email  = google_service_account.nginx.email
    		62 |     scopes = ["cloud-platform"]
    		63 |   }
    		64 | 
    		65 |   provisioner "remote-exec" {
    		66 |     inline = ["echo 'Wait until SSH is ready'"]
    		67 | 
    		68 |     connection {
    		69 |       type        = "ssh"
    		70 |       user        = local.ssh_user
    		71 |       private_key = file(local.private_key_path)
    		72 |       host        = self.network_interface.0.access_config.0.nat_ip
    		73 |     }
    		74 |   }
    		75 | 
    		76 |   provisioner "local-exec" {
    		77 |     command = "ansible-playbook  -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		78 |   }
    		79 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/102/terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public-us-east-1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                       = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"     = "1"
    		34 |     "kubernetes.io/cluster/demo" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/102/terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public-us-east-1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                       = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"     = "1"
    		47 |     "kubernetes.io/cluster/demo" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/102/terraform/6-eks.tf:32-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		32 | resource "aws_eks_cluster" "demo" {
    		33 |   name     = var.cluster_name
    		34 |   role_arn = aws_iam_role.demo.arn
    		35 | 
    		36 |   vpc_config {
    		37 |     subnet_ids = [
    		38 |       aws_subnet.private-us-east-1a.id,
    		39 |       aws_subnet.private-us-east-1b.id,
    		40 |       aws_subnet.public-us-east-1a.id,
    		41 |       aws_subnet.public-us-east-1b.id
    		42 |     ]
    		43 |   }
    		44 | 
    		45 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		46 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/102/terraform/6-eks.tf:32-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		32 | resource "aws_eks_cluster" "demo" {
    		33 |   name     = var.cluster_name
    		34 |   role_arn = aws_iam_role.demo.arn
    		35 | 
    		36 |   vpc_config {
    		37 |     subnet_ids = [
    		38 |       aws_subnet.private-us-east-1a.id,
    		39 |       aws_subnet.private-us-east-1b.id,
    		40 |       aws_subnet.public-us-east-1a.id,
    		41 |       aws_subnet.public-us-east-1b.id
    		42 |     ]
    		43 |   }
    		44 | 
    		45 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		46 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/102/terraform/6-eks.tf:32-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		32 | resource "aws_eks_cluster" "demo" {
    		33 |   name     = var.cluster_name
    		34 |   role_arn = aws_iam_role.demo.arn
    		35 | 
    		36 |   vpc_config {
    		37 |     subnet_ids = [
    		38 |       aws_subnet.private-us-east-1a.id,
    		39 |       aws_subnet.private-us-east-1b.id,
    		40 |       aws_subnet.public-us-east-1a.id,
    		41 |       aws_subnet.public-us-east-1b.id
    		42 |     ]
    		43 |   }
    		44 | 
    		45 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		46 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/102/terraform/6-eks.tf:32-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		32 | resource "aws_eks_cluster" "demo" {
    		33 |   name     = var.cluster_name
    		34 |   role_arn = aws_iam_role.demo.arn
    		35 | 
    		36 |   vpc_config {
    		37 |     subnet_ids = [
    		38 |       aws_subnet.private-us-east-1a.id,
    		39 |       aws_subnet.private-us-east-1b.id,
    		40 |       aws_subnet.public-us-east-1a.id,
    		41 |       aws_subnet.public-us-east-1b.id
    		42 |     ]
    		43 |   }
    		44 | 
    		45 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		46 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/104/terraform/3-subnets.tf:1-6
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		1 | resource "aws_subnet" "public-us-east-1a" {
    		2 |   vpc_id                  = aws_vpc.main.id
    		3 |   cidr_block              = "10.0.64.0/19"
    		4 |   availability_zone       = "us-east-1a"
    		5 |   map_public_ip_on_launch = true
    		6 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.web
    	File: /lessons/104/terraform/5-ec2.tf:28-42
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		28 | resource "aws_instance" "web" {
    		29 |   ami           = data.aws_ami.ubuntu.id
    		30 |   instance_type = "t3.small"
    		31 | 
    		32 |   key_name = local.key_name
    		33 | 
    		34 |   network_interface {
    		35 |     network_interface_id = aws_network_interface.monitoring.id
    		36 |     device_index         = 0
    		37 |   }
    		38 | 
    		39 |   tags = {
    		40 |     Name = "monitoring"
    		41 |   }
    		42 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.web
    	File: /lessons/104/terraform/5-ec2.tf:28-42
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		28 | resource "aws_instance" "web" {
    		29 |   ami           = data.aws_ami.ubuntu.id
    		30 |   instance_type = "t3.small"
    		31 | 
    		32 |   key_name = local.key_name
    		33 | 
    		34 |   network_interface {
    		35 |     network_interface_id = aws_network_interface.monitoring.id
    		36 |     device_index         = 0
    		37 |   }
    		38 | 
    		39 |   tags = {
    		40 |     Name = "monitoring"
    		41 |   }
    		42 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.web
    	File: /lessons/104/terraform/5-ec2.tf:28-42
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		28 | resource "aws_instance" "web" {
    		29 |   ami           = data.aws_ami.ubuntu.id
    		30 |   instance_type = "t3.small"
    		31 | 
    		32 |   key_name = local.key_name
    		33 | 
    		34 |   network_interface {
    		35 |     network_interface_id = aws_network_interface.monitoring.id
    		36 |     device_index         = 0
    		37 |   }
    		38 | 
    		39 |   tags = {
    		40 |     Name = "monitoring"
    		41 |   }
    		42 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.web
    	File: /lessons/104/terraform/5-ec2.tf:28-42
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		28 | resource "aws_instance" "web" {
    		29 |   ami           = data.aws_ami.ubuntu.id
    		30 |   instance_type = "t3.small"
    		31 | 
    		32 |   key_name = local.key_name
    		33 | 
    		34 |   network_interface {
    		35 |     network_interface_id = aws_network_interface.monitoring.id
    		36 |     device_index         = 0
    		37 |   }
    		38 | 
    		39 |   tags = {
    		40 |     Name = "monitoring"
    		41 |   }
    		42 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.monitoring
    	File: /lessons/104/terraform/6-sg.tf:1-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.monitoring
    	File: /lessons/104/terraform/6-sg.tf:1-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/105/aws-terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public-us-east-1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                       = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"     = "1"
    		34 |     "kubernetes.io/cluster/demo" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/105/aws-terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public-us-east-1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                       = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"     = "1"
    		47 |     "kubernetes.io/cluster/demo" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/105/aws-terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private-us-east-1a.id,
    		32 |       aws_subnet.private-us-east-1b.id,
    		33 |       aws_subnet.public-us-east-1a.id,
    		34 |       aws_subnet.public-us-east-1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		39 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/105/aws-terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private-us-east-1a.id,
    		32 |       aws_subnet.private-us-east-1b.id,
    		33 |       aws_subnet.public-us-east-1a.id,
    		34 |       aws_subnet.public-us-east-1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		39 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/105/aws-terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private-us-east-1a.id,
    		32 |       aws_subnet.private-us-east-1b.id,
    		33 |       aws_subnet.public-us-east-1a.id,
    		34 |       aws_subnet.public-us-east-1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		39 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/105/aws-terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private-us-east-1a.id,
    		32 |       aws_subnet.private-us-east-1b.id,
    		33 |       aws_subnet.public-us-east-1a.id,
    		34 |       aws_subnet.public-us-east-1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
    		39 | }
    
    Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
    	FAILED for resource: google_compute_subnetwork.private
    	File: /lessons/108/terraform/3-subnets.tf:2-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
    
    		2  | resource "google_compute_subnetwork" "private" {
    		3  |   name                     = "private"
    		4  |   ip_cidr_range            = "10.0.0.0/18"
    		5  |   region                   = "us-central1"
    		6  |   network                  = google_compute_network.main.id
    		7  |   private_ip_google_access = true
    		8  | 
    		9  |   secondary_ip_range {
    		10 |     range_name    = "k8s-pod-range"
    		11 |     ip_cidr_range = "10.48.0.0/14"
    		12 |   }
    		13 |   secondary_ip_range {
    		14 |     range_name    = "k8s-service-range"
    		15 |     ip_cidr_range = "10.52.0.0/20"
    		16 |   }
    		17 | }
    
    Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
    	FAILED for resource: google_compute_subnetwork.private
    	File: /lessons/108/terraform/3-subnets.tf:2-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
    
    		2  | resource "google_compute_subnetwork" "private" {
    		3  |   name                     = "private"
    		4  |   ip_cidr_range            = "10.0.0.0/18"
    		5  |   region                   = "us-central1"
    		6  |   network                  = google_compute_network.main.id
    		7  |   private_ip_google_access = true
    		8  | 
    		9  |   secondary_ip_range {
    		10 |     range_name    = "k8s-pod-range"
    		11 |     ip_cidr_range = "10.48.0.0/14"
    		12 |   }
    		13 |   secondary_ip_range {
    		14 |     range_name    = "k8s-service-range"
    		15 |     ip_cidr_range = "10.52.0.0/20"
    		16 |   }
    		17 | }
    
    Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
    	FAILED for resource: google_compute_firewall.allow-ssh
    	File: /lessons/108/terraform/6-firewalls.tf:2-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
    
    		2  | resource "google_compute_firewall" "allow-ssh" {
    		3  |   name    = "allow-ssh"
    		4  |   network = google_compute_network.main.name
    		5  | 
    		6  |   allow {
    		7  |     protocol = "tcp"
    		8  |     ports    = ["22"]
    		9  |   }
    		10 | 
    		11 |   source_ranges = ["0.0.0.0/0"]
    		12 | }
    
    Check: CKV_GCP_66: "Ensure use of Binary Authorization"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_20: "Ensure master authorized networks is set to enabled in GKE clusters"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-12.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_13: "Ensure client certificate authentication to Kubernetes Engine Clusters is disabled"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-8.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
    	FAILED for resource: google_container_cluster.primary
    	File: /lessons/108/terraform/7-kubernetes.tf:2-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
    	FAILED for resource: google_container_node_pool.general
    	File: /lessons/108/terraform/8-node-pools.tf:7-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
    
    		7  | resource "google_container_node_pool" "general" {
    		8  |   name       = "general"
    		9  |   cluster    = google_container_cluster.primary.id
    		10 |   node_count = 1
    		11 | 
    		12 |   management {
    		13 |     auto_repair  = true
    		14 |     auto_upgrade = true
    		15 |   }
    		16 | 
    		17 |   node_config {
    		18 |     preemptible  = false
    		19 |     machine_type = "e2-small"
    		20 | 
    		21 |     labels = {
    		22 |       role = "general"
    		23 |     }
    		24 | 
    		25 |     service_account = google_service_account.kubernetes.email
    		26 |     oauth_scopes = [
    		27 |       "https://www.googleapis.com/auth/cloud-platform"
    		28 |     ]
    		29 |   }
    		30 | }
    
    Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
    	FAILED for resource: google_container_node_pool.general
    	File: /lessons/108/terraform/8-node-pools.tf:7-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
    
    		7  | resource "google_container_node_pool" "general" {
    		8  |   name       = "general"
    		9  |   cluster    = google_container_cluster.primary.id
    		10 |   node_count = 1
    		11 | 
    		12 |   management {
    		13 |     auto_repair  = true
    		14 |     auto_upgrade = true
    		15 |   }
    		16 | 
    		17 |   node_config {
    		18 |     preemptible  = false
    		19 |     machine_type = "e2-small"
    		20 | 
    		21 |     labels = {
    		22 |       role = "general"
    		23 |     }
    		24 | 
    		25 |     service_account = google_service_account.kubernetes.email
    		26 |     oauth_scopes = [
    		27 |       "https://www.googleapis.com/auth/cloud-platform"
    		28 |     ]
    		29 |   }
    		30 | }
    
    Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
    	FAILED for resource: google_container_node_pool.general
    	File: /lessons/108/terraform/8-node-pools.tf:7-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
    
    		7  | resource "google_container_node_pool" "general" {
    		8  |   name       = "general"
    		9  |   cluster    = google_container_cluster.primary.id
    		10 |   node_count = 1
    		11 | 
    		12 |   management {
    		13 |     auto_repair  = true
    		14 |     auto_upgrade = true
    		15 |   }
    		16 | 
    		17 |   node_config {
    		18 |     preemptible  = false
    		19 |     machine_type = "e2-small"
    		20 | 
    		21 |     labels = {
    		22 |       role = "general"
    		23 |     }
    		24 | 
    		25 |     service_account = google_service_account.kubernetes.email
    		26 |     oauth_scopes = [
    		27 |       "https://www.googleapis.com/auth/cloud-platform"
    		28 |     ]
    		29 |   }
    		30 | }
    
    Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
    	FAILED for resource: google_container_node_pool.spot
    	File: /lessons/108/terraform/8-node-pools.tf:32-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
    
    		32 | resource "google_container_node_pool" "spot" {
    		33 |   name    = "spot"
    		34 |   cluster = google_container_cluster.primary.id
    		35 | 
    		36 |   management {
    		37 |     auto_repair  = true
    		38 |     auto_upgrade = true
    		39 |   }
    		40 | 
    		41 |   autoscaling {
    		42 |     min_node_count = 0
    		43 |     max_node_count = 10
    		44 |   }
    		45 | 
    		46 |   node_config {
    		47 |     preemptible  = true
    		48 |     machine_type = "e2-small"
    		49 | 
    		50 |     labels = {
    		51 |       team = "devops"
    		52 |     }
    		53 | 
    		54 |     taint {
    		55 |       key    = "instance_type"
    		56 |       value  = "spot"
    		57 |       effect = "NO_SCHEDULE"
    		58 |     }
    		59 | 
    		60 |     service_account = google_service_account.kubernetes.email
    		61 |     oauth_scopes = [
    		62 |       "https://www.googleapis.com/auth/cloud-platform"
    		63 |     ]
    		64 |   }
    		65 | }
    
    Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
    	FAILED for resource: google_container_node_pool.spot
    	File: /lessons/108/terraform/8-node-pools.tf:32-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
    
    		32 | resource "google_container_node_pool" "spot" {
    		33 |   name    = "spot"
    		34 |   cluster = google_container_cluster.primary.id
    		35 | 
    		36 |   management {
    		37 |     auto_repair  = true
    		38 |     auto_upgrade = true
    		39 |   }
    		40 | 
    		41 |   autoscaling {
    		42 |     min_node_count = 0
    		43 |     max_node_count = 10
    		44 |   }
    		45 | 
    		46 |   node_config {
    		47 |     preemptible  = true
    		48 |     machine_type = "e2-small"
    		49 | 
    		50 |     labels = {
    		51 |       team = "devops"
    		52 |     }
    		53 | 
    		54 |     taint {
    		55 |       key    = "instance_type"
    		56 |       value  = "spot"
    		57 |       effect = "NO_SCHEDULE"
    		58 |     }
    		59 | 
    		60 |     service_account = google_service_account.kubernetes.email
    		61 |     oauth_scopes = [
    		62 |       "https://www.googleapis.com/auth/cloud-platform"
    		63 |     ]
    		64 |   }
    		65 | }
    
    Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
    	FAILED for resource: google_container_node_pool.spot
    	File: /lessons/108/terraform/8-node-pools.tf:32-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
    
    		32 | resource "google_container_node_pool" "spot" {
    		33 |   name    = "spot"
    		34 |   cluster = google_container_cluster.primary.id
    		35 | 
    		36 |   management {
    		37 |     auto_repair  = true
    		38 |     auto_upgrade = true
    		39 |   }
    		40 | 
    		41 |   autoscaling {
    		42 |     min_node_count = 0
    		43 |     max_node_count = 10
    		44 |   }
    		45 | 
    		46 |   node_config {
    		47 |     preemptible  = true
    		48 |     machine_type = "e2-small"
    		49 | 
    		50 |     labels = {
    		51 |       team = "devops"
    		52 |     }
    		53 | 
    		54 |     taint {
    		55 |       key    = "instance_type"
    		56 |       value  = "spot"
    		57 |       effect = "NO_SCHEDULE"
    		58 |     }
    		59 | 
    		60 |     service_account = google_service_account.kubernetes.email
    		61 |     oauth_scopes = [
    		62 |       "https://www.googleapis.com/auth/cloud-platform"
    		63 |     ]
    		64 |   }
    		65 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/112/terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public-us-east-1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                                      = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"                    = "1"
    		34 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/112/terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public-us-east-1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                                      = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"                    = "1"
    		47 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		48 |   }
    		49 | }
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/112/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/112/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/112/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/112/terraform/6-eks.tf:25-40
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/112/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
    	FAILED for resource: aws_efs_file_system.eks
    	File: /lessons/113/terraform/13-efs.tf:1-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
    
    		1  | resource "aws_efs_file_system" "eks" {
    		2  |   creation_token = "eks"
    		3  | 
    		4  |   performance_mode = "generalPurpose"
    		5  |   throughput_mode  = "bursting"
    		6  |   encrypted        = true
    		7  | 
    		8  |   # lifecycle_policy {
    		9  |   #   transition_to_ia = "AFTER_30_DAYS"
    		10 |   # }
    		11 | 
    		12 |   tags = {
    		13 |     Name = "eks"
    		14 |   }
    		15 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/113/terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public-us-east-1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                                      = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"                    = "1"
    		34 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/113/terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public-us-east-1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                                      = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"                    = "1"
    		47 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/113/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/113/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/113/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/113/terraform/6-eks.tf:25-45
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/113/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/114/terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public-us-east-1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                                      = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"                    = "1"
    		34 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/114/terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public-us-east-1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                                      = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"                    = "1"
    		47 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/114/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = "1.22"
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/114/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = "1.22"
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/114/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = "1.22"
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/114/terraform/6-eks.tf:25-45
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = "1.22"
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/114/terraform/6-eks.tf:25-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = "1.22"
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 | 
    		32 |     endpoint_private_access = false
    		33 |     endpoint_public_access  = true
    		34 |     public_access_cidrs     = ["0.0.0.0/0"]
    		35 | 
    		36 |     subnet_ids = [
    		37 |       aws_subnet.private-us-east-1a.id,
    		38 |       aws_subnet.private-us-east-1b.id,
    		39 |       aws_subnet.public-us-east-1a.id,
    		40 |       aws_subnet.public-us-east-1b.id
    		41 |     ]
    		42 |   }
    		43 | 
    		44 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		45 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/115/terraform/2-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/115/terraform/2-hello-lambda.tf:25-37
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/115/terraform/2-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/115/terraform/2-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/115/terraform/2-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.hello
    	File: /lessons/115/terraform/2-hello-lambda.tf:39-43
    
    		39 | resource "aws_cloudwatch_log_group" "hello" {
    		40 |   name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
    		41 | 
    		42 |   retention_in_days = 14
    		43 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.hello
    	File: /lessons/115/terraform/2-hello-lambda.tf:39-43
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		39 | resource "aws_cloudwatch_log_group" "hello" {
    		40 |   name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
    		41 | 
    		42 |   retention_in_days = 14
    		43 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.main_api_gw
    	File: /lessons/115/terraform/3-api-gateway.tf:31-35
    
    		31 | resource "aws_cloudwatch_log_group" "main_api_gw" {
    		32 |   name = "/aws/api-gw/${aws_apigatewayv2_api.main.name}"
    		33 | 
    		34 |   retention_in_days = 14
    		35 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.main_api_gw
    	File: /lessons/115/terraform/3-api-gateway.tf:31-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		31 | resource "aws_cloudwatch_log_group" "main_api_gw" {
    		32 |   name = "/aws/api-gw/${aws_apigatewayv2_api.main.name}"
    		33 | 
    		34 |   retention_in_days = 14
    		35 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.get_hello
    	File: /lessons/115/terraform/4-hello-api-gateway.tf:9-14
    
    		9  | resource "aws_apigatewayv2_route" "get_hello" {
    		10 |   api_id = aws_apigatewayv2_api.main.id
    		11 | 
    		12 |   route_key = "GET /hello"
    		13 |   target    = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
    		14 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.post_hello
    	File: /lessons/115/terraform/4-hello-api-gateway.tf:16-21
    
    		16 | resource "aws_apigatewayv2_route" "post_hello" {
    		17 |   api_id = aws_apigatewayv2_api.main.id
    		18 | 
    		19 |   route_key = "POST /hello"
    		20 |   target    = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
    		21 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.s3
    	File: /lessons/115/terraform/6-s3-lambda.tf:47-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		47 | resource "aws_lambda_function" "s3" {
    		48 |   function_name = "s3"
    		49 | 
    		50 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		51 |   s3_key    = aws_s3_object.lambda_s3.key
    		52 | 
    		53 |   runtime = "nodejs16.x"
    		54 |   handler = "function.handler"
    		55 | 
    		56 |   source_code_hash = data.archive_file.lambda_s3.output_base64sha256
    		57 | 
    		58 |   role = aws_iam_role.s3_lambda_exec.arn
    		59 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.s3
    	File: /lessons/115/terraform/6-s3-lambda.tf:47-59
    
    		47 | resource "aws_lambda_function" "s3" {
    		48 |   function_name = "s3"
    		49 | 
    		50 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		51 |   s3_key    = aws_s3_object.lambda_s3.key
    		52 | 
    		53 |   runtime = "nodejs16.x"
    		54 |   handler = "function.handler"
    		55 | 
    		56 |   source_code_hash = data.archive_file.lambda_s3.output_base64sha256
    		57 | 
    		58 |   role = aws_iam_role.s3_lambda_exec.arn
    		59 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.s3
    	File: /lessons/115/terraform/6-s3-lambda.tf:47-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		47 | resource "aws_lambda_function" "s3" {
    		48 |   function_name = "s3"
    		49 | 
    		50 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		51 |   s3_key    = aws_s3_object.lambda_s3.key
    		52 | 
    		53 |   runtime = "nodejs16.x"
    		54 |   handler = "function.handler"
    		55 | 
    		56 |   source_code_hash = data.archive_file.lambda_s3.output_base64sha256
    		57 | 
    		58 |   role = aws_iam_role.s3_lambda_exec.arn
    		59 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.s3
    	File: /lessons/115/terraform/6-s3-lambda.tf:47-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		47 | resource "aws_lambda_function" "s3" {
    		48 |   function_name = "s3"
    		49 | 
    		50 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		51 |   s3_key    = aws_s3_object.lambda_s3.key
    		52 | 
    		53 |   runtime = "nodejs16.x"
    		54 |   handler = "function.handler"
    		55 | 
    		56 |   source_code_hash = data.archive_file.lambda_s3.output_base64sha256
    		57 | 
    		58 |   role = aws_iam_role.s3_lambda_exec.arn
    		59 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.s3
    	File: /lessons/115/terraform/6-s3-lambda.tf:47-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		47 | resource "aws_lambda_function" "s3" {
    		48 |   function_name = "s3"
    		49 | 
    		50 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		51 |   s3_key    = aws_s3_object.lambda_s3.key
    		52 | 
    		53 |   runtime = "nodejs16.x"
    		54 |   handler = "function.handler"
    		55 | 
    		56 |   source_code_hash = data.archive_file.lambda_s3.output_base64sha256
    		57 | 
    		58 |   role = aws_iam_role.s3_lambda_exec.arn
    		59 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.s3
    	File: /lessons/115/terraform/6-s3-lambda.tf:61-65
    
    		61 | resource "aws_cloudwatch_log_group" "s3" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.s3.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.s3
    	File: /lessons/115/terraform/6-s3-lambda.tf:61-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		61 | resource "aws_cloudwatch_log_group" "s3" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.s3.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/116/terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public-us-east-1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                                      = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"                    = "1"
    		34 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/116/terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public-us-east-1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                                      = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"                    = "1"
    		47 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/116/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/116/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/116/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/116/terraform/6-eks.tf:25-40
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.cluster
    	File: /lessons/116/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "cluster" {
    		26 |   name     = var.cluster_name
    		27 |   version  = var.cluster_version
    		28 |   role_arn = aws_iam_role.eks-cluster.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private-us-east-1a.id,
    		33 |       aws_subnet.private-us-east-1b.id,
    		34 |       aws_subnet.public-us-east-1a.id,
    		35 |       aws_subnet.public-us-east-1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
    		40 | }
    
    Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
    	FAILED for resource: aws_apigatewayv2_stage.dev
    	File: /lessons/116/terraform/8-api-gateway.tf:6-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
    
    		6  | resource "aws_apigatewayv2_stage" "dev" {
    		7  |   api_id = aws_apigatewayv2_api.main.id
    		8  | 
    		9  |   name        = "dev"
    		10 |   auto_deploy = true
    		11 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.vpc_link
    	File: /lessons/116/terraform/9-integration.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1  | resource "aws_security_group" "vpc_link" {
    		2  |   name   = "vpc-link"
    		3  |   vpc_id = aws_vpc.main.id
    		4  | 
    		5  |   egress {
    		6  |     from_port        = 0
    		7  |     to_port          = 0
    		8  |     protocol         = "-1"
    		9  |     cidr_blocks      = ["0.0.0.0/0"]
    		10 |   }
    		11 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.get_echo
    	File: /lessons/116/terraform/9-integration.tf:32-37
    
    		32 | resource "aws_apigatewayv2_route" "get_echo" {
    		33 |   api_id = aws_apigatewayv2_api.main.id
    		34 | 
    		35 |   route_key = "GET /echo"
    		36 |   target    = "integrations/${aws_apigatewayv2_integration.eks.id}"
    		37 | }
    
    Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
    	FAILED for resource: aws_apigatewayv2_stage.staging
    	File: /lessons/117/terraform/1-api-gateway.tf:6-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
    
    		6  | resource "aws_apigatewayv2_stage" "staging" {
    		7  |   name        = "staging"
    		8  |   api_id      = aws_apigatewayv2_api.main.id
    		9  |   auto_deploy = true
    		10 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/117/terraform/3-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/117/terraform/3-hello-lambda.tf:25-37
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/117/terraform/3-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/117/terraform/3-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.hello
    	File: /lessons/117/terraform/3-hello-lambda.tf:25-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		25 | resource "aws_lambda_function" "hello" {
    		26 |   function_name = "hello"
    		27 | 
    		28 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		29 |   s3_key    = aws_s3_object.lambda_hello.key
    		30 | 
    		31 |   runtime = "nodejs16.x"
    		32 |   handler = "function.handler"
    		33 | 
    		34 |   source_code_hash = data.archive_file.lambda_hello.output_base64sha256
    		35 | 
    		36 |   role = aws_iam_role.hello_lambda_exec.arn
    		37 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.hello
    	File: /lessons/117/terraform/3-hello-lambda.tf:39-43
    
    		39 | resource "aws_cloudwatch_log_group" "hello" {
    		40 |   name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
    		41 | 
    		42 |   retention_in_days = 14
    		43 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.hello
    	File: /lessons/117/terraform/3-hello-lambda.tf:39-43
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		39 | resource "aws_cloudwatch_log_group" "hello" {
    		40 |   name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
    		41 | 
    		42 |   retention_in_days = 14
    		43 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.get_hello
    	File: /lessons/117/terraform/4-hello-api-gateway.tf:9-14
    
    		9  | resource "aws_apigatewayv2_route" "get_hello" {
    		10 |   api_id = aws_apigatewayv2_api.main.id
    		11 | 
    		12 |   route_key = "GET /hello"
    		13 |   target    = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
    		14 | }
    
    Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
    	FAILED for resource: aws_acm_certificate.api
    	File: /lessons/117/terraform/5-certificate.tf:1-4
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
    
    		1 | resource "aws_acm_certificate" "api" {
    		2 |   domain_name       = "api.antonputra.com"
    		3 |   validation_method = "DNS"
    		4 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my-app-example-2
    	File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		1  | resource "aws_instance" "my-app-example-2" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.private-us-east-1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
    		8  | 
    		9  |   tags = {
    		10 |     Name = "my-app-example-2"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my-app-example-2
    	File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		1  | resource "aws_instance" "my-app-example-2" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.private-us-east-1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
    		8  | 
    		9  |   tags = {
    		10 |     Name = "my-app-example-2"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my-app-example-2
    	File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		1  | resource "aws_instance" "my-app-example-2" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.private-us-east-1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
    		8  | 
    		9  |   tags = {
    		10 |     Name = "my-app-example-2"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my-app-example-2
    	File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		1  | resource "aws_instance" "my-app-example-2" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.private-us-east-1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
    		8  | 
    		9  |   tags = {
    		10 |     Name = "my-app-example-2"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
    	FAILED for resource: aws_lb.my-app-example-2
    	File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
    
    		20 | resource "aws_lb" "my-app-example-2" {
    		21 |   name               = "my-app-example-2"
    		22 |   internal           = true
    		23 |   load_balancer_type = "network"
    		24 | 
    		25 |   subnets = [
    		26 |     aws_subnet.private-us-east-1a.id,
    		27 |     aws_subnet.private-us-east-1b.id
    		28 |   ]
    		29 | }
    
    Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
    	FAILED for resource: aws_lb.my-app-example-2
    	File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
    
    		20 | resource "aws_lb" "my-app-example-2" {
    		21 |   name               = "my-app-example-2"
    		22 |   internal           = true
    		23 |   load_balancer_type = "network"
    		24 | 
    		25 |   subnets = [
    		26 |     aws_subnet.private-us-east-1a.id,
    		27 |     aws_subnet.private-us-east-1b.id
    		28 |   ]
    		29 | }
    
    Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
    	FAILED for resource: aws_lb.my-app-example-2
    	File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
    
    		20 | resource "aws_lb" "my-app-example-2" {
    		21 |   name               = "my-app-example-2"
    		22 |   internal           = true
    		23 |   load_balancer_type = "network"
    		24 | 
    		25 |   subnets = [
    		26 |     aws_subnet.private-us-east-1a.id,
    		27 |     aws_subnet.private-us-east-1b.id
    		28 |   ]
    		29 | }
    
    Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
    	FAILED for resource: aws_apigatewayv2_stage.staging
    	File: /lessons/118/terraform/12-api-gw-example-2.tf:6-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
    
    		6  | resource "aws_apigatewayv2_stage" "staging" {
    		7  |   api_id = aws_apigatewayv2_api.api-gw-example-2.id
    		8  | 
    		9  |   name        = "staging"
    		10 |   auto_deploy = true
    		11 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.api-gw-example-2
    	File: /lessons/118/terraform/12-api-gw-example-2.tf:32-37
    
    		32 | resource "aws_apigatewayv2_route" "api-gw-example-2" {
    		33 |   api_id = aws_apigatewayv2_api.api-gw-example-2.id
    		34 | 
    		35 |   route_key = "ANY /{proxy+}"
    		36 |   target    = "integrations/${aws_apigatewayv2_integration.api-gw-example-2.id}"
    		37 | }
    
    Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
    	FAILED for resource: aws_acm_certificate.api
    	File: /lessons/118/terraform/13-certificate-example-2.tf:1-4
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
    
    		1 | resource "aws_acm_certificate" "api" {
    		2 |   domain_name       = "api.antonputra.com"
    		3 |   validation_method = "DNS"
    		4 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.my-app-example-3
    	File: /lessons/118/terraform/15-sg-example-3.tf:1-20
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1  | resource "aws_security_group" "my-app-example-3" {
    		2  |   name        = "my-app-example-3"
    		3  |   description = "Allow API Access"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     description = "Allow Health Checks"
    		8  |     from_port   = 8080
    		9  |     to_port     = 8080
    		10 |     protocol    = "tcp"
    		11 |     cidr_blocks = [aws_vpc.main.cidr_block]
    		12 |   }
    		13 | 
    		14 |   egress {
    		15 |     from_port   = 0
    		16 |     to_port     = 0
    		17 |     protocol    = "-1"
    		18 |     cidr_blocks = ["0.0.0.0/0"]
    		19 |   }
    		20 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_template.my-app-example-3
    	File: /lessons/118/terraform/16-launch-template-example-3.tf:1-6
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		1 | resource "aws_launch_template" "my-app-example-3" {
    		2 |   name                   = "my-app-example-3"
    		3 |   image_id               = "ami-0d5482f3cb962780f"
    		4 |   key_name               = "devops"
    		5 |   vpc_security_group_ids = [aws_security_group.my-app-example-3.id]
    		6 | }
    
    Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
    	FAILED for resource: aws_lb.my-app-example-3
    	File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
    
    		13 | resource "aws_lb" "my-app-example-3" {
    		14 |   name               = "my-app-example-3"
    		15 |   internal           = true
    		16 |   load_balancer_type = "network"
    		17 | 
    		18 |   subnets = [
    		19 |     aws_subnet.private-us-east-1a.id,
    		20 |     aws_subnet.private-us-east-1b.id
    		21 |   ]
    		22 | }
    
    Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
    	FAILED for resource: aws_lb.my-app-example-3
    	File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
    
    		13 | resource "aws_lb" "my-app-example-3" {
    		14 |   name               = "my-app-example-3"
    		15 |   internal           = true
    		16 |   load_balancer_type = "network"
    		17 | 
    		18 |   subnets = [
    		19 |     aws_subnet.private-us-east-1a.id,
    		20 |     aws_subnet.private-us-east-1b.id
    		21 |   ]
    		22 | }
    
    Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
    	FAILED for resource: aws_lb.my-app-example-3
    	File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
    
    		13 | resource "aws_lb" "my-app-example-3" {
    		14 |   name               = "my-app-example-3"
    		15 |   internal           = true
    		16 |   load_balancer_type = "network"
    		17 | 
    		18 |   subnets = [
    		19 |     aws_subnet.private-us-east-1a.id,
    		20 |     aws_subnet.private-us-east-1b.id
    		21 |   ]
    		22 | }
    
    Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
    	FAILED for resource: aws_autoscaling_group.my-app-example-3
    	File: /lessons/118/terraform/18-ag-example-3.tf:1-20
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
    
    		1  | resource "aws_autoscaling_group" "my-app-example-3" {
    		2  |   name     = "my-app-example-3"
    		3  |   min_size = 1
    		4  |   max_size = 3
    		5  | 
    		6  |   health_check_type   = "EC2"
    		7  |   vpc_zone_identifier = [aws_subnet.private-us-east-1a.id, aws_subnet.private-us-east-1b.id]
    		8  |   target_group_arns   = [aws_lb_target_group.my-app-example-3.arn]
    		9  | 
    		10 |   mixed_instances_policy {
    		11 |     launch_template {
    		12 |       launch_template_specification {
    		13 |         launch_template_id = aws_launch_template.my-app-example-3.id
    		14 |       }
    		15 |       override {
    		16 |         instance_type = "t3.micro"
    		17 |       }
    		18 |     }
    		19 |   }
    		20 | }
    
    Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
    	FAILED for resource: aws_autoscaling_group.my-app-example-3
    	File: /lessons/118/terraform/18-ag-example-3.tf:1-20
    
    		1  | resource "aws_autoscaling_group" "my-app-example-3" {
    		2  |   name     = "my-app-example-3"
    		3  |   min_size = 1
    		4  |   max_size = 3
    		5  | 
    		6  |   health_check_type   = "EC2"
    		7  |   vpc_zone_identifier = [aws_subnet.private-us-east-1a.id, aws_subnet.private-us-east-1b.id]
    		8  |   target_group_arns   = [aws_lb_target_group.my-app-example-3.arn]
    		9  | 
    		10 |   mixed_instances_policy {
    		11 |     launch_template {
    		12 |       launch_template_specification {
    		13 |         launch_template_id = aws_launch_template.my-app-example-3.id
    		14 |       }
    		15 |       override {
    		16 |         instance_type = "t3.micro"
    		17 |       }
    		18 |     }
    		19 |   }
    		20 | }
    
    Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
    	FAILED for resource: aws_apigatewayv2_stage.dev
    	File: /lessons/118/terraform/19-api-gw-example-3.tf:6-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
    
    		6  | resource "aws_apigatewayv2_stage" "dev" {
    		7  |   api_id = aws_apigatewayv2_api.api-gw-example-3.id
    		8  | 
    		9  |   name        = "dev"
    		10 |   auto_deploy = true
    		11 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.api-gw-example-3
    	File: /lessons/118/terraform/19-api-gw-example-3.tf:32-37
    
    		32 | resource "aws_apigatewayv2_route" "api-gw-example-3" {
    		33 |   api_id = aws_apigatewayv2_api.api-gw-example-3.id
    		34 | 
    		35 |   route_key = "ANY /{proxy+}"
    		36 |   target    = "integrations/${aws_apigatewayv2_integration.api-gw-example-3.id}"
    		37 | }
    
    Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
    	FAILED for resource: aws_acm_certificate.api-v2
    	File: /lessons/118/terraform/20-certificate-example-3.tf:1-4
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
    
    		1 | resource "aws_acm_certificate" "api-v2" {
    		2 |   domain_name       = "api-v2.antonputra.com"
    		3 |   validation_method = "DNS"
    		4 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/118/terraform/3-subnets.tf:21-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		21 | resource "aws_subnet" "public-us-east-1a" {
    		22 |   vpc_id                  = aws_vpc.main.id
    		23 |   cidr_block              = "10.0.64.0/19"
    		24 |   availability_zone       = "us-east-1a"
    		25 |   map_public_ip_on_launch = true
    		26 | 
    		27 |   tags = {
    		28 |     "Name" = "public-us-east-1a"
    		29 |   }
    		30 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/118/terraform/3-subnets.tf:32-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		32 | resource "aws_subnet" "public-us-east-1b" {
    		33 |   vpc_id                  = aws_vpc.main.id
    		34 |   cidr_block              = "10.0.96.0/19"
    		35 |   availability_zone       = "us-east-1b"
    		36 |   map_public_ip_on_launch = true
    		37 | 
    		38 |   tags = {
    		39 |     "Name" = "public-us-east-1b"
    		40 |   }
    		41 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.my-app-example-1
    	File: /lessons/118/terraform/6-sg-example-1.tf:1-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1  | resource "aws_security_group" "my-app-example-1" {
    		2  |   name        = "my-app-example-1"
    		3  |   description = "Allow API Access"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     from_port   = 22
    		8  |     to_port     = 22
    		9  |     protocol    = "tcp"
    		10 |     cidr_blocks = ["0.0.0.0/0"]
    		11 |   }
    		12 | 
    		13 |   ingress {
    		14 |     from_port   = 8080
    		15 |     to_port     = 8080
    		16 |     protocol    = "tcp"
    		17 |     cidr_blocks = ["0.0.0.0/0"]
    		18 |   }
    		19 | 
    		20 |   egress {
    		21 |     from_port   = 0
    		22 |     to_port     = 0
    		23 |     protocol    = "-1"
    		24 |     cidr_blocks = ["0.0.0.0/0"]
    		25 |   }
    		26 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.my-app-example-1
    	File: /lessons/118/terraform/6-sg-example-1.tf:1-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		1  | resource "aws_security_group" "my-app-example-1" {
    		2  |   name        = "my-app-example-1"
    		3  |   description = "Allow API Access"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     from_port   = 22
    		8  |     to_port     = 22
    		9  |     protocol    = "tcp"
    		10 |     cidr_blocks = ["0.0.0.0/0"]
    		11 |   }
    		12 | 
    		13 |   ingress {
    		14 |     from_port   = 8080
    		15 |     to_port     = 8080
    		16 |     protocol    = "tcp"
    		17 |     cidr_blocks = ["0.0.0.0/0"]
    		18 |   }
    		19 | 
    		20 |   egress {
    		21 |     from_port   = 0
    		22 |     to_port     = 0
    		23 |     protocol    = "-1"
    		24 |     cidr_blocks = ["0.0.0.0/0"]
    		25 |   }
    		26 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my-app-example-1
    	File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		1  | resource "aws_instance" "my-app-example-1" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.public-us-east-1a.id
    		6  | 
    		7  |   associate_public_ip_address = true
    		8  |   vpc_security_group_ids      = [aws_security_group.my-app-example-1.id]
    		9  | 
    		10 |   tags = {
    		11 |     Name = "my-app-example-1"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my-app-example-1
    	File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		1  | resource "aws_instance" "my-app-example-1" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.public-us-east-1a.id
    		6  | 
    		7  |   associate_public_ip_address = true
    		8  |   vpc_security_group_ids      = [aws_security_group.my-app-example-1.id]
    		9  | 
    		10 |   tags = {
    		11 |     Name = "my-app-example-1"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my-app-example-1
    	File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		1  | resource "aws_instance" "my-app-example-1" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.public-us-east-1a.id
    		6  | 
    		7  |   associate_public_ip_address = true
    		8  |   vpc_security_group_ids      = [aws_security_group.my-app-example-1.id]
    		9  | 
    		10 |   tags = {
    		11 |     Name = "my-app-example-1"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_88: "EC2 instance should not have public IP."
    	FAILED for resource: aws_instance.my-app-example-1
    	File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
    
    		1  | resource "aws_instance" "my-app-example-1" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.public-us-east-1a.id
    		6  | 
    		7  |   associate_public_ip_address = true
    		8  |   vpc_security_group_ids      = [aws_security_group.my-app-example-1.id]
    		9  | 
    		10 |   tags = {
    		11 |     Name = "my-app-example-1"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my-app-example-1
    	File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		1  | resource "aws_instance" "my-app-example-1" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.public-us-east-1a.id
    		6  | 
    		7  |   associate_public_ip_address = true
    		8  |   vpc_security_group_ids      = [aws_security_group.my-app-example-1.id]
    		9  | 
    		10 |   tags = {
    		11 |     Name = "my-app-example-1"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
    	FAILED for resource: aws_apigatewayv2_stage.prod
    	File: /lessons/118/terraform/8-api-gw-example-1.tf:6-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
    
    		6  | resource "aws_apigatewayv2_stage" "prod" {
    		7  |   api_id = aws_apigatewayv2_api.api-gw-example-1.id
    		8  | 
    		9  |   name        = "prod"
    		10 |   auto_deploy = true
    		11 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.api-gw-example-1
    	File: /lessons/118/terraform/8-api-gw-example-1.tf:22-27
    
    		22 | resource "aws_apigatewayv2_route" "api-gw-example-1" {
    		23 |   api_id = aws_apigatewayv2_api.api-gw-example-1.id
    		24 | 
    		25 |   route_key = "ANY /{proxy+}"
    		26 |   target    = "integrations/${aws_apigatewayv2_integration.api-gw-example-1.id}"
    		27 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.my-app-example-2
    	File: /lessons/118/terraform/9-sg-example-2.tf:1-20
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1  | resource "aws_security_group" "my-app-example-2" {
    		2  |   name        = "my-app-example-2"
    		3  |   description = "Allow API Access"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     description = "Allow Health Checks"
    		8  |     from_port   = 8080
    		9  |     to_port     = 8080
    		10 |     protocol    = "tcp"
    		11 |     cidr_blocks = [aws_vpc.main.cidr_block]
    		12 |   }
    		13 | 
    		14 |   egress {
    		15 |     from_port   = 0
    		16 |     to_port     = 0
    		17 |     protocol    = "-1"
    		18 |     cidr_blocks = ["0.0.0.0/0"]
    		19 |   }
    		20 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/119/terraform/3-subnets.tf:21-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		21 | resource "aws_subnet" "public-us-east-1a" {
    		22 |   vpc_id                  = aws_vpc.main.id
    		23 |   cidr_block              = "10.0.64.0/19"
    		24 |   availability_zone       = "us-east-1a"
    		25 |   map_public_ip_on_launch = true
    		26 | 
    		27 |   tags = {
    		28 |     "Name" = "public-us-east-1a"
    		29 |   }
    		30 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/119/terraform/3-subnets.tf:32-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		32 | resource "aws_subnet" "public-us-east-1b" {
    		33 |   vpc_id                  = aws_vpc.main.id
    		34 |   cidr_block              = "10.0.96.0/19"
    		35 |   availability_zone       = "us-east-1b"
    		36 |   map_public_ip_on_launch = true
    		37 | 
    		38 |   tags = {
    		39 |     "Name" = "public-us-east-1b"
    		40 |   }
    		41 | }
    
    Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
    	FAILED for resource: google_compute_subnetwork.private
    	File: /lessons/120/terraform/3-subnets.tf:2-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
    
    		2 | resource "google_compute_subnetwork" "private" {
    		3 |   name                     = "private"
    		4 |   region                   = local.region
    		5 |   ip_cidr_range            = "10.0.0.0/18"
    		6 |   stack_type               = "IPV4_ONLY"
    		7 |   network                  = google_compute_network.main.id
    		8 |   private_ip_google_access = true
    		9 | }
    
    Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
    	FAILED for resource: google_compute_subnetwork.public
    	File: /lessons/120/terraform/3-subnets.tf:11-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
    
    		11 | resource "google_compute_subnetwork" "public" {
    		12 |   name          = "public"
    		13 |   region        = local.region
    		14 |   ip_cidr_range = "10.0.64.0/18"
    		15 |   stack_type    = "IPV4_ONLY"
    		16 |   network       = google_compute_network.main.id
    		17 | }
    
    Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
    	FAILED for resource: google_compute_subnetwork.public
    	File: /lessons/120/terraform/3-subnets.tf:11-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
    
    		11 | resource "google_compute_subnetwork" "public" {
    		12 |   name          = "public"
    		13 |   region        = local.region
    		14 |   ip_cidr_range = "10.0.64.0/18"
    		15 |   stack_type    = "IPV4_ONLY"
    		16 |   network       = google_compute_network.main.id
    		17 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1a
    	File: /lessons/121/terraform/3-subnets.tf:21-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		21 | resource "aws_subnet" "public-us-east-1a" {
    		22 |   vpc_id                  = aws_vpc.main.id
    		23 |   cidr_block              = "10.0.64.0/19"
    		24 |   availability_zone       = "us-east-1a"
    		25 |   map_public_ip_on_launch = true
    		26 | 
    		27 |   tags = {
    		28 |     "Name" = "public-us-east-1a"
    		29 |   }
    		30 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public-us-east-1b
    	File: /lessons/121/terraform/3-subnets.tf:32-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		32 | resource "aws_subnet" "public-us-east-1b" {
    		33 |   vpc_id                  = aws_vpc.main.id
    		34 |   cidr_block              = "10.0.96.0/19"
    		35 |   availability_zone       = "us-east-1b"
    		36 |   map_public_ip_on_launch = true
    		37 | 
    		38 |   tags = {
    		39 |     "Name" = "public-us-east-1b"
    		40 |   }
    		41 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.my_server_ssh_access
    	File: /lessons/121/terraform/6-ec2.tf:1-20
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1  | resource "aws_security_group" "my_server_ssh_access" {
    		2  |   name        = "my-server-ssh-access"
    		3  |   description = "Allow My Server SSH Accesss"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     description = "Allow SSH from Anywhere"
    		8  |     from_port   = 22
    		9  |     to_port     = 22
    		10 |     protocol    = "tcp"
    		11 |     cidr_blocks = ["0.0.0.0/0"]
    		12 |   }
    		13 | 
    		14 |   egress {
    		15 |     from_port   = 0
    		16 |     to_port     = 0
    		17 |     protocol    = "-1"
    		18 |     cidr_blocks = ["0.0.0.0/0"]
    		19 |   }
    		20 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.my_server_ssh_access
    	File: /lessons/121/terraform/6-ec2.tf:1-20
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		1  | resource "aws_security_group" "my_server_ssh_access" {
    		2  |   name        = "my-server-ssh-access"
    		3  |   description = "Allow My Server SSH Accesss"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     description = "Allow SSH from Anywhere"
    		8  |     from_port   = 22
    		9  |     to_port     = 22
    		10 |     protocol    = "tcp"
    		11 |     cidr_blocks = ["0.0.0.0/0"]
    		12 |   }
    		13 | 
    		14 |   egress {
    		15 |     from_port   = 0
    		16 |     to_port     = 0
    		17 |     protocol    = "-1"
    		18 |     cidr_blocks = ["0.0.0.0/0"]
    		19 |   }
    		20 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/121/terraform/6-ec2.tf:38-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		38 | resource "aws_instance" "my_server" {
    		39 |   ami           = data.aws_ami.ubuntu.id
    		40 |   instance_type = "t3.micro"
    		41 | 
    		42 |   key_name               = "old-key"
    		43 |   subnet_id              = aws_subnet.public-us-east-1a.id
    		44 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		45 | 
    		46 |   associate_public_ip_address = true
    		47 | 
    		48 |   tags = {
    		49 |     Name = "My Server"
    		50 |   }
    		51 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/121/terraform/6-ec2.tf:38-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		38 | resource "aws_instance" "my_server" {
    		39 |   ami           = data.aws_ami.ubuntu.id
    		40 |   instance_type = "t3.micro"
    		41 | 
    		42 |   key_name               = "old-key"
    		43 |   subnet_id              = aws_subnet.public-us-east-1a.id
    		44 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		45 | 
    		46 |   associate_public_ip_address = true
    		47 | 
    		48 |   tags = {
    		49 |     Name = "My Server"
    		50 |   }
    		51 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/121/terraform/6-ec2.tf:38-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		38 | resource "aws_instance" "my_server" {
    		39 |   ami           = data.aws_ami.ubuntu.id
    		40 |   instance_type = "t3.micro"
    		41 | 
    		42 |   key_name               = "old-key"
    		43 |   subnet_id              = aws_subnet.public-us-east-1a.id
    		44 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		45 | 
    		46 |   associate_public_ip_address = true
    		47 | 
    		48 |   tags = {
    		49 |     Name = "My Server"
    		50 |   }
    		51 | }
    
    Check: CKV_AWS_88: "EC2 instance should not have public IP."
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/121/terraform/6-ec2.tf:38-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
    
    		38 | resource "aws_instance" "my_server" {
    		39 |   ami           = data.aws_ami.ubuntu.id
    		40 |   instance_type = "t3.micro"
    		41 | 
    		42 |   key_name               = "old-key"
    		43 |   subnet_id              = aws_subnet.public-us-east-1a.id
    		44 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		45 | 
    		46 |   associate_public_ip_address = true
    		47 | 
    		48 |   tags = {
    		49 |     Name = "My Server"
    		50 |   }
    		51 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/121/terraform/6-ec2.tf:38-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		38 | resource "aws_instance" "my_server" {
    		39 |   ami           = data.aws_ami.ubuntu.id
    		40 |   instance_type = "t3.micro"
    		41 | 
    		42 |   key_name               = "old-key"
    		43 |   subnet_id              = aws_subnet.public-us-east-1a.id
    		44 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		45 | 
    		46 |   associate_public_ip_address = true
    		47 | 
    		48 |   tags = {
    		49 |     Name = "My Server"
    		50 |   }
    		51 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1a
    	File: /lessons/122/terraform/3-subnets.tf:24-33
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		24 | resource "aws_subnet" "public_us_east_1a" {
    		25 |   vpc_id                  = aws_vpc.main.id
    		26 |   cidr_block              = "10.0.64.0/19"
    		27 |   availability_zone       = "us-east-1a"
    		28 |   map_public_ip_on_launch = true
    		29 | 
    		30 |   tags = {
    		31 |     "Name" = "public-us-east-1a"
    		32 |   }
    		33 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1b
    	File: /lessons/122/terraform/3-subnets.tf:36-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		36 | resource "aws_subnet" "public_us_east_1b" {
    		37 |   vpc_id                  = aws_vpc.main.id
    		38 |   cidr_block              = "10.0.96.0/19"
    		39 |   availability_zone       = "us-east-1b"
    		40 |   map_public_ip_on_launch = true
    		41 | 
    		42 |   tags = {
    		43 |     "Name" = "public-us-east-1b"
    		44 |   }
    		45 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.my_server_ssh_access
    	File: /lessons/122/terraform/6-ec2.tf:2-21
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		2  | resource "aws_security_group" "my_server_ssh_access" {
    		3  |   name        = "my-server-ssh-access"
    		4  |   description = "Allow My Server SSH Accesss"
    		5  |   vpc_id      = aws_vpc.main.id
    		6  | 
    		7  |   ingress {
    		8  |     description = "Allow SSH from Anywhere"
    		9  |     from_port   = 22
    		10 |     to_port     = 22
    		11 |     protocol    = "tcp"
    		12 |     cidr_blocks = ["0.0.0.0/0"]
    		13 |   }
    		14 | 
    		15 |   egress {
    		16 |     from_port   = 0
    		17 |     to_port     = 0
    		18 |     protocol    = "-1"
    		19 |     cidr_blocks = ["0.0.0.0/0"]
    		20 |   }
    		21 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.my_server_ssh_access
    	File: /lessons/122/terraform/6-ec2.tf:2-21
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		2  | resource "aws_security_group" "my_server_ssh_access" {
    		3  |   name        = "my-server-ssh-access"
    		4  |   description = "Allow My Server SSH Accesss"
    		5  |   vpc_id      = aws_vpc.main.id
    		6  | 
    		7  |   ingress {
    		8  |     description = "Allow SSH from Anywhere"
    		9  |     from_port   = 22
    		10 |     to_port     = 22
    		11 |     protocol    = "tcp"
    		12 |     cidr_blocks = ["0.0.0.0/0"]
    		13 |   }
    		14 | 
    		15 |   egress {
    		16 |     from_port   = 0
    		17 |     to_port     = 0
    		18 |     protocol    = "-1"
    		19 |     cidr_blocks = ["0.0.0.0/0"]
    		20 |   }
    		21 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/122/terraform/6-ec2.tf:41-56
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		41 | resource "aws_instance" "my_server" {
    		42 |   ami           = data.aws_ami.ubuntu.id
    		43 |   instance_type = "t3.micro"
    		44 | 
    		45 |   # create devops key pair manually before you run terraform
    		46 |   key_name = "devops"
    		47 | 
    		48 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		49 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		50 | 
    		51 |   associate_public_ip_address = true
    		52 | 
    		53 |   tags = {
    		54 |     Name = "my-server"
    		55 |   }
    		56 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/122/terraform/6-ec2.tf:41-56
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		41 | resource "aws_instance" "my_server" {
    		42 |   ami           = data.aws_ami.ubuntu.id
    		43 |   instance_type = "t3.micro"
    		44 | 
    		45 |   # create devops key pair manually before you run terraform
    		46 |   key_name = "devops"
    		47 | 
    		48 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		49 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		50 | 
    		51 |   associate_public_ip_address = true
    		52 | 
    		53 |   tags = {
    		54 |     Name = "my-server"
    		55 |   }
    		56 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/122/terraform/6-ec2.tf:41-56
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		41 | resource "aws_instance" "my_server" {
    		42 |   ami           = data.aws_ami.ubuntu.id
    		43 |   instance_type = "t3.micro"
    		44 | 
    		45 |   # create devops key pair manually before you run terraform
    		46 |   key_name = "devops"
    		47 | 
    		48 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		49 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		50 | 
    		51 |   associate_public_ip_address = true
    		52 | 
    		53 |   tags = {
    		54 |     Name = "my-server"
    		55 |   }
    		56 | }
    
    Check: CKV_AWS_88: "EC2 instance should not have public IP."
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/122/terraform/6-ec2.tf:41-56
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
    
    		41 | resource "aws_instance" "my_server" {
    		42 |   ami           = data.aws_ami.ubuntu.id
    		43 |   instance_type = "t3.micro"
    		44 | 
    		45 |   # create devops key pair manually before you run terraform
    		46 |   key_name = "devops"
    		47 | 
    		48 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		49 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		50 | 
    		51 |   associate_public_ip_address = true
    		52 | 
    		53 |   tags = {
    		54 |     Name = "my-server"
    		55 |   }
    		56 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/122/terraform/6-ec2.tf:41-56
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		41 | resource "aws_instance" "my_server" {
    		42 |   ami           = data.aws_ami.ubuntu.id
    		43 |   instance_type = "t3.micro"
    		44 | 
    		45 |   # create devops key pair manually before you run terraform
    		46 |   key_name = "devops"
    		47 | 
    		48 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		49 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		50 | 
    		51 |   associate_public_ip_address = true
    		52 | 
    		53 |   tags = {
    		54 |     Name = "my-server"
    		55 |   }
    		56 | }
    
    Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
    	FAILED for resource: aws_sns_topic.alarms
    	File: /lessons/122/terraform/7-sns-topic.tf:28-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
    
    		28 | resource "aws_sns_topic" "alarms" {
    		29 |   name = "alarms"
    		30 | 
    		31 |   # Important! Only for testing, set to log every single message 
    		32 |   # For production, set it to 0 or close
    		33 |   lambda_success_feedback_sample_rate = 100
    		34 | 
    		35 |   lambda_failure_feedback_role_arn = aws_iam_role.sns_logs.arn
    		36 |   lambda_success_feedback_role_arn = aws_iam_role.sns_logs.arn
    		37 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
    	File: /lessons/122/terraform/9-lambda.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
    		47 |   function_name = "send-cloudwatch-alarms-to-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.send_cloudwatch_alarms_to_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
    		58 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
    	File: /lessons/122/terraform/9-lambda.tf:46-58
    
    		46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
    		47 |   function_name = "send-cloudwatch-alarms-to-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.send_cloudwatch_alarms_to_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
    		58 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
    	File: /lessons/122/terraform/9-lambda.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
    		47 |   function_name = "send-cloudwatch-alarms-to-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.send_cloudwatch_alarms_to_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
    		58 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
    	File: /lessons/122/terraform/9-lambda.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
    		47 |   function_name = "send-cloudwatch-alarms-to-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.send_cloudwatch_alarms_to_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
    		58 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
    	File: /lessons/122/terraform/9-lambda.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
    		47 |   function_name = "send-cloudwatch-alarms-to-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.send_cloudwatch_alarms_to_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
    		58 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.send_cloudwatch_alarms_to_slack
    	File: /lessons/122/terraform/9-lambda.tf:61-65
    
    		61 | resource "aws_cloudwatch_log_group" "send_cloudwatch_alarms_to_slack" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.send_cloudwatch_alarms_to_slack.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.send_cloudwatch_alarms_to_slack
    	File: /lessons/122/terraform/9-lambda.tf:61-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		61 | resource "aws_cloudwatch_log_group" "send_cloudwatch_alarms_to_slack" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.send_cloudwatch_alarms_to_slack.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
    	FAILED for resource: aws_dynamodb_table.meta
    	File: /lessons/124/terraform/3-dynamodb.tf:1-12
    	Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
    
    		1  | resource "aws_dynamodb_table" "meta" {
    		2  |   name           = "Meta"
    		3  |   billing_mode   = "PROVISIONED"
    		4  |   read_capacity  = 5
    		5  |   write_capacity = 5
    		6  |   hash_key       = "LastModified"
    		7  | 
    		8  |   attribute {
    		9  |     name = "LastModified"
    		10 |     type = "S"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
    	FAILED for resource: aws_dynamodb_table.meta
    	File: /lessons/124/terraform/3-dynamodb.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
    
    		1  | resource "aws_dynamodb_table" "meta" {
    		2  |   name           = "Meta"
    		3  |   billing_mode   = "PROVISIONED"
    		4  |   read_capacity  = 5
    		5  |   write_capacity = 5
    		6  |   hash_key       = "LastModified"
    		7  | 
    		8  |   attribute {
    		9  |     name = "LastModified"
    		10 |     type = "S"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:98-102
    
    		98  | resource "aws_cloudwatch_log_group" "nodejs" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:98-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		98  | resource "aws_cloudwatch_log_group" "nodejs" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_nodejs
    	File: /lessons/124/terraform/4-nodejs-lambda.tf:120-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		120 | resource "aws_lambda_function_url" "lambda_nodejs" {
    		121 |   function_name      = aws_lambda_function.nodejs.function_name
    		122 |   authorization_type = "NONE"
    		123 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/124/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/124/terraform/5-go-lambda.tf:78-96
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/124/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/124/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/124/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/124/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.go
    	File: /lessons/124/terraform/5-go-lambda.tf:98-102
    
    		98  | resource "aws_cloudwatch_log_group" "go" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.go.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.go
    	File: /lessons/124/terraform/5-go-lambda.tf:98-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		98  | resource "aws_cloudwatch_log_group" "go" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.go.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_go
    	File: /lessons/124/terraform/5-go-lambda.tf:120-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		120 | resource "aws_lambda_function_url" "lambda_go" {
    		121 |   function_name      = aws_lambda_function.go.function_name
    		122 |   authorization_type = "NONE"
    		123 | }
    
    Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
    	FAILED for resource: aws_dynamodb_table.meta
    	File: /lessons/126/terraform/3-dynamodb.tf:2-13
    	Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
    
    		2  | resource "aws_dynamodb_table" "meta" {
    		3  |   name           = "Meta"
    		4  |   billing_mode   = "PROVISIONED"
    		5  |   read_capacity  = 5
    		6  |   write_capacity = 1000
    		7  |   hash_key       = "LastModified"
    		8  | 
    		9  |   attribute {
    		10 |     name = "LastModified"
    		11 |     type = "S"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
    	FAILED for resource: aws_dynamodb_table.meta
    	File: /lessons/126/terraform/3-dynamodb.tf:2-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
    
    		2  | resource "aws_dynamodb_table" "meta" {
    		3  |   name           = "Meta"
    		4  |   billing_mode   = "PROVISIONED"
    		5  |   read_capacity  = 5
    		6  |   write_capacity = 1000
    		7  |   hash_key       = "LastModified"
    		8  | 
    		9  |   attribute {
    		10 |     name = "LastModified"
    		11 |     type = "S"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		78 | resource "aws_lambda_function" "nodejs" {
    		79 |   function_name = "nodejs"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_nodejs.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "nodejs16.x"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.nodejs_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:98-102
    
    		98  | resource "aws_cloudwatch_log_group" "nodejs" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:98-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		98  | resource "aws_cloudwatch_log_group" "nodejs" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_nodejs
    	File: /lessons/126/terraform/4-nodejs-lambda.tf:120-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		120 | resource "aws_lambda_function_url" "lambda_nodejs" {
    		121 |   function_name      = aws_lambda_function.nodejs.function_name
    		122 |   authorization_type = "NONE"
    		123 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.python
    	File: /lessons/126/terraform/4-python-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		78 | resource "aws_lambda_function" "python" {
    		79 |   function_name = "python"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_python.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "python3.9"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_python.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.python_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.python
    	File: /lessons/126/terraform/4-python-lambda.tf:78-96
    
    		78 | resource "aws_lambda_function" "python" {
    		79 |   function_name = "python"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_python.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "python3.9"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_python.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.python_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.python
    	File: /lessons/126/terraform/4-python-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		78 | resource "aws_lambda_function" "python" {
    		79 |   function_name = "python"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_python.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "python3.9"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_python.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.python_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.python
    	File: /lessons/126/terraform/4-python-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		78 | resource "aws_lambda_function" "python" {
    		79 |   function_name = "python"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_python.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "python3.9"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_python.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.python_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.python
    	File: /lessons/126/terraform/4-python-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		78 | resource "aws_lambda_function" "python" {
    		79 |   function_name = "python"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_python.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "python3.9"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_python.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.python_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.python
    	File: /lessons/126/terraform/4-python-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		78 | resource "aws_lambda_function" "python" {
    		79 |   function_name = "python"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_python.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "python3.9"
    		91 |   handler = "function.lambda_handler"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_python.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.python_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.python
    	File: /lessons/126/terraform/4-python-lambda.tf:98-102
    
    		98  | resource "aws_cloudwatch_log_group" "python" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.python.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.python
    	File: /lessons/126/terraform/4-python-lambda.tf:98-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		98  | resource "aws_cloudwatch_log_group" "python" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.python.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_python
    	File: /lessons/126/terraform/4-python-lambda.tf:120-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		120 | resource "aws_lambda_function_url" "lambda_python" {
    		121 |   function_name      = aws_lambda_function.python.function_name
    		122 |   authorization_type = "NONE"
    		123 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1a
    	File: /lessons/127/terraform/3-subnets.tf:21-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		21 | resource "aws_subnet" "public_us_east_1a" {
    		22 |   vpc_id                  = aws_vpc.main.id
    		23 |   cidr_block              = "10.0.64.0/19"
    		24 |   availability_zone       = "us-east-1a"
    		25 |   map_public_ip_on_launch = true
    		26 | 
    		27 |   tags = {
    		28 |     "Name" = "public-us-east-1a"
    		29 |   }
    		30 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1b
    	File: /lessons/127/terraform/3-subnets.tf:32-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		32 | resource "aws_subnet" "public_us_east_1b" {
    		33 |   vpc_id                  = aws_vpc.main.id
    		34 |   cidr_block              = "10.0.96.0/19"
    		35 |   availability_zone       = "us-east-1b"
    		36 |   map_public_ip_on_launch = true
    		37 | 
    		38 |   tags = {
    		39 |     "Name" = "public-us-east-1b"
    		40 |   }
    		41 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.ec2_eg1
    	File: /lessons/127/terraform/6-example-1.tf:14-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		14 | resource "aws_security_group" "ec2_eg1" {
    		15 |   name   = "ec2-eg1"
    		16 |   vpc_id = aws_vpc.main.id
    		17 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.alb_eg1
    	File: /lessons/127/terraform/6-example-1.tf:19-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		19 | resource "aws_security_group" "alb_eg1" {
    		20 |   name   = "alb-eg1"
    		21 |   vpc_id = aws_vpc.main.id
    		22 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_ec2_traffic
    	File: /lessons/127/terraform/6-example-1.tf:24-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		24 | resource "aws_security_group_rule" "ingress_ec2_traffic" {
    		25 |   type                     = "ingress"
    		26 |   from_port                = 8080
    		27 |   to_port                  = 8080
    		28 |   protocol                 = "tcp"
    		29 |   security_group_id        = aws_security_group.ec2_eg1.id
    		30 |   source_security_group_id = aws_security_group.alb_eg1.id
    		31 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_ec2_health_check
    	File: /lessons/127/terraform/6-example-1.tf:33-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		33 | resource "aws_security_group_rule" "ingress_ec2_health_check" {
    		34 |   type                     = "ingress"
    		35 |   from_port                = 8081
    		36 |   to_port                  = 8081
    		37 |   protocol                 = "tcp"
    		38 |   security_group_id        = aws_security_group.ec2_eg1.id
    		39 |   source_security_group_id = aws_security_group.alb_eg1.id
    		40 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_alb_traffic
    	File: /lessons/127/terraform/6-example-1.tf:51-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		51 | resource "aws_security_group_rule" "ingress_alb_traffic" {
    		52 |   type              = "ingress"
    		53 |   from_port         = 80
    		54 |   to_port           = 80
    		55 |   protocol          = "tcp"
    		56 |   security_group_id = aws_security_group.alb_eg1.id
    		57 |   cidr_blocks       = ["0.0.0.0/0"]
    		58 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group_rule.ingress_alb_traffic
    	File: /lessons/127/terraform/6-example-1.tf:51-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		51 | resource "aws_security_group_rule" "ingress_alb_traffic" {
    		52 |   type              = "ingress"
    		53 |   from_port         = 80
    		54 |   to_port           = 80
    		55 |   protocol          = "tcp"
    		56 |   security_group_id = aws_security_group.alb_eg1.id
    		57 |   cidr_blocks       = ["0.0.0.0/0"]
    		58 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.egress_alb_traffic
    	File: /lessons/127/terraform/6-example-1.tf:60-67
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		60 | resource "aws_security_group_rule" "egress_alb_traffic" {
    		61 |   type                     = "egress"
    		62 |   from_port                = 8080
    		63 |   to_port                  = 8080
    		64 |   protocol                 = "tcp"
    		65 |   security_group_id        = aws_security_group.alb_eg1.id
    		66 |   source_security_group_id = aws_security_group.ec2_eg1.id
    		67 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.egress_alb_health_check
    	File: /lessons/127/terraform/6-example-1.tf:69-76
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		69 | resource "aws_security_group_rule" "egress_alb_health_check" {
    		70 |   type                     = "egress"
    		71 |   from_port                = 8081
    		72 |   to_port                  = 8081
    		73 |   protocol                 = "tcp"
    		74 |   security_group_id        = aws_security_group.alb_eg1.id
    		75 |   source_security_group_id = aws_security_group.ec2_eg1.id
    		76 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
    	FAILED for resource: aws_lb.my_app_eg1
    	File: /lessons/127/terraform/6-example-1.tf:127-143
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
    
    		127 | resource "aws_lb" "my_app_eg1" {
    		128 |   name               = "my-app-eg1"
    		129 |   internal           = false
    		130 |   load_balancer_type = "application"
    		131 |   security_groups    = [aws_security_group.alb_eg1.id]
    		132 | 
    		133 |   # access_logs {
    		134 |   #   bucket  = "my-logs"
    		135 |   #   prefix  = "my-app-lb"
    		136 |   #   enabled = true
    		137 |   # }
    		138 | 
    		139 |   subnets = [
    		140 |     aws_subnet.public_us_east_1a.id,
    		141 |     aws_subnet.public_us_east_1b.id
    		142 |   ]
    		143 | }
    
    Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
    	FAILED for resource: aws_lb.my_app_eg1
    	File: /lessons/127/terraform/6-example-1.tf:127-143
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
    
    		127 | resource "aws_lb" "my_app_eg1" {
    		128 |   name               = "my-app-eg1"
    		129 |   internal           = false
    		130 |   load_balancer_type = "application"
    		131 |   security_groups    = [aws_security_group.alb_eg1.id]
    		132 | 
    		133 |   # access_logs {
    		134 |   #   bucket  = "my-logs"
    		135 |   #   prefix  = "my-app-lb"
    		136 |   #   enabled = true
    		137 |   # }
    		138 | 
    		139 |   subnets = [
    		140 |     aws_subnet.public_us_east_1a.id,
    		141 |     aws_subnet.public_us_east_1b.id
    		142 |   ]
    		143 | }
    
    Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
    	FAILED for resource: aws_lb.my_app_eg1
    	File: /lessons/127/terraform/6-example-1.tf:127-143
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
    
    		127 | resource "aws_lb" "my_app_eg1" {
    		128 |   name               = "my-app-eg1"
    		129 |   internal           = false
    		130 |   load_balancer_type = "application"
    		131 |   security_groups    = [aws_security_group.alb_eg1.id]
    		132 | 
    		133 |   # access_logs {
    		134 |   #   bucket  = "my-logs"
    		135 |   #   prefix  = "my-app-lb"
    		136 |   #   enabled = true
    		137 |   # }
    		138 | 
    		139 |   subnets = [
    		140 |     aws_subnet.public_us_east_1a.id,
    		141 |     aws_subnet.public_us_east_1b.id
    		142 |   ]
    		143 | }
    
    Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
    	FAILED for resource: aws_lb_listener.http_eg1
    	File: /lessons/127/terraform/6-example-1.tf:145-154
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
    
    		145 | resource "aws_lb_listener" "http_eg1" {
    		146 |   load_balancer_arn = aws_lb.my_app_eg1.arn
    		147 |   port              = "80"
    		148 |   protocol          = "HTTP"
    		149 | 
    		150 |   default_action {
    		151 |     type             = "forward"
    		152 |     target_group_arn = aws_lb_target_group.my_app_eg1.arn
    		153 |   }
    		154 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.ec2_eg2
    	File: /lessons/127/terraform/7-example-2.tf:1-4
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1 | resource "aws_security_group" "ec2_eg2" {
    		2 |   name   = "ec2-eg2"
    		3 |   vpc_id = aws_vpc.main.id
    		4 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.alb_eg2
    	File: /lessons/127/terraform/7-example-2.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		6 | resource "aws_security_group" "alb_eg2" {
    		7 |   name   = "alb-eg2"
    		8 |   vpc_id = aws_vpc.main.id
    		9 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_ec2_eg2_traffic
    	File: /lessons/127/terraform/7-example-2.tf:11-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		11 | resource "aws_security_group_rule" "ingress_ec2_eg2_traffic" {
    		12 |   type                     = "ingress"
    		13 |   from_port                = 8080
    		14 |   to_port                  = 8080
    		15 |   protocol                 = "tcp"
    		16 |   security_group_id        = aws_security_group.ec2_eg2.id
    		17 |   source_security_group_id = aws_security_group.alb_eg2.id
    		18 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_ec2_eg2_health_check
    	File: /lessons/127/terraform/7-example-2.tf:20-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		20 | resource "aws_security_group_rule" "ingress_ec2_eg2_health_check" {
    		21 |   type                     = "ingress"
    		22 |   from_port                = 8081
    		23 |   to_port                  = 8081
    		24 |   protocol                 = "tcp"
    		25 |   security_group_id        = aws_security_group.ec2_eg2.id
    		26 |   source_security_group_id = aws_security_group.alb_eg2.id
    		27 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_alb_eg2_http_traffic
    	File: /lessons/127/terraform/7-example-2.tf:38-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		38 | resource "aws_security_group_rule" "ingress_alb_eg2_http_traffic" {
    		39 |   type              = "ingress"
    		40 |   from_port         = 80
    		41 |   to_port           = 80
    		42 |   protocol          = "tcp"
    		43 |   security_group_id = aws_security_group.alb_eg2.id
    		44 |   cidr_blocks       = ["0.0.0.0/0"]
    		45 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group_rule.ingress_alb_eg2_http_traffic
    	File: /lessons/127/terraform/7-example-2.tf:38-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		38 | resource "aws_security_group_rule" "ingress_alb_eg2_http_traffic" {
    		39 |   type              = "ingress"
    		40 |   from_port         = 80
    		41 |   to_port           = 80
    		42 |   protocol          = "tcp"
    		43 |   security_group_id = aws_security_group.alb_eg2.id
    		44 |   cidr_blocks       = ["0.0.0.0/0"]
    		45 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_alb_eg2_https_traffic
    	File: /lessons/127/terraform/7-example-2.tf:47-54
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		47 | resource "aws_security_group_rule" "ingress_alb_eg2_https_traffic" {
    		48 |   type              = "ingress"
    		49 |   from_port         = 443
    		50 |   to_port           = 443
    		51 |   protocol          = "tcp"
    		52 |   security_group_id = aws_security_group.alb_eg2.id
    		53 |   cidr_blocks       = ["0.0.0.0/0"]
    		54 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.egress_alb_eg2_traffic
    	File: /lessons/127/terraform/7-example-2.tf:56-63
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		56 | resource "aws_security_group_rule" "egress_alb_eg2_traffic" {
    		57 |   type                     = "egress"
    		58 |   from_port                = 8080
    		59 |   to_port                  = 8080
    		60 |   protocol                 = "tcp"
    		61 |   security_group_id        = aws_security_group.alb_eg2.id
    		62 |   source_security_group_id = aws_security_group.ec2_eg2.id
    		63 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.egress_alb_eg2_health_check
    	File: /lessons/127/terraform/7-example-2.tf:65-72
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		65 | resource "aws_security_group_rule" "egress_alb_eg2_health_check" {
    		66 |   type                     = "egress"
    		67 |   from_port                = 8081
    		68 |   to_port                  = 8081
    		69 |   protocol                 = "tcp"
    		70 |   security_group_id        = aws_security_group.alb_eg2.id
    		71 |   source_security_group_id = aws_security_group.ec2_eg2.id
    		72 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_template.my_app_eg2
    	File: /lessons/127/terraform/7-example-2.tf:74-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		74 | resource "aws_launch_template" "my_app_eg2" {
    		75 |   name                   = "my-app-eg2"
    		76 |   image_id               = "ami-07309549f34230bcd"
    		77 |   key_name               = "devops"
    		78 |   vpc_security_group_ids = [aws_security_group.ec2_eg2.id]
    		79 | }
    
    Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
    	FAILED for resource: aws_autoscaling_group.my_app_eg2
    	File: /lessons/127/terraform/7-example-2.tf:99-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
    
    		99  | resource "aws_autoscaling_group" "my_app_eg2" {
    		100 |   name     = "my-app-eg2"
    		101 |   min_size = 1
    		102 |   max_size = 3
    		103 | 
    		104 |   health_check_type = "EC2"
    		105 | 
    		106 |   vpc_zone_identifier = [
    		107 |     aws_subnet.private_us_east_1a.id,
    		108 |     aws_subnet.private_us_east_1b.id
    		109 |   ]
    		110 | 
    		111 |   target_group_arns = [aws_lb_target_group.my_app_eg2.arn]
    		112 | 
    		113 |   mixed_instances_policy {
    		114 |     launch_template {
    		115 |       launch_template_specification {
    		116 |         launch_template_id = aws_launch_template.my_app_eg2.id
    		117 |       }
    		118 |       override {
    		119 |         instance_type = "t3.micro"
    		120 |       }
    		121 |     }
    		122 |   }
    		123 | }
    
    Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
    	FAILED for resource: aws_autoscaling_group.my_app_eg2
    	File: /lessons/127/terraform/7-example-2.tf:99-123
    
    		99  | resource "aws_autoscaling_group" "my_app_eg2" {
    		100 |   name     = "my-app-eg2"
    		101 |   min_size = 1
    		102 |   max_size = 3
    		103 | 
    		104 |   health_check_type = "EC2"
    		105 | 
    		106 |   vpc_zone_identifier = [
    		107 |     aws_subnet.private_us_east_1a.id,
    		108 |     aws_subnet.private_us_east_1b.id
    		109 |   ]
    		110 | 
    		111 |   target_group_arns = [aws_lb_target_group.my_app_eg2.arn]
    		112 | 
    		113 |   mixed_instances_policy {
    		114 |     launch_template {
    		115 |       launch_template_specification {
    		116 |         launch_template_id = aws_launch_template.my_app_eg2.id
    		117 |       }
    		118 |       override {
    		119 |         instance_type = "t3.micro"
    		120 |       }
    		121 |     }
    		122 |   }
    		123 | }
    
    Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
    	FAILED for resource: aws_lb.my_app_eg2
    	File: /lessons/127/terraform/7-example-2.tf:141-151
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
    
    		141 | resource "aws_lb" "my_app_eg2" {
    		142 |   name               = "my-app-eg2"
    		143 |   internal           = false
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.alb_eg2.id]
    		146 | 
    		147 |   subnets = [
    		148 |     aws_subnet.public_us_east_1a.id,
    		149 |     aws_subnet.public_us_east_1b.id
    		150 |   ]
    		151 | }
    
    Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
    	FAILED for resource: aws_lb.my_app_eg2
    	File: /lessons/127/terraform/7-example-2.tf:141-151
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
    
    		141 | resource "aws_lb" "my_app_eg2" {
    		142 |   name               = "my-app-eg2"
    		143 |   internal           = false
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.alb_eg2.id]
    		146 | 
    		147 |   subnets = [
    		148 |     aws_subnet.public_us_east_1a.id,
    		149 |     aws_subnet.public_us_east_1b.id
    		150 |   ]
    		151 | }
    
    Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
    	FAILED for resource: aws_lb.my_app_eg2
    	File: /lessons/127/terraform/7-example-2.tf:141-151
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
    
    		141 | resource "aws_lb" "my_app_eg2" {
    		142 |   name               = "my-app-eg2"
    		143 |   internal           = false
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.alb_eg2.id]
    		146 | 
    		147 |   subnets = [
    		148 |     aws_subnet.public_us_east_1a.id,
    		149 |     aws_subnet.public_us_east_1b.id
    		150 |   ]
    		151 | }
    
    Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
    	FAILED for resource: aws_acm_certificate.api
    	File: /lessons/127/terraform/7-example-2.tf:179-182
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
    
    		179 | resource "aws_acm_certificate" "api" {
    		180 |   domain_name       = "api.antonputra.com"
    		181 |   validation_method = "DNS"
    		182 | }
    
    Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
    	FAILED for resource: aws_dynamodb_table.images
    	File: /lessons/128/terraform/3-dynamodb.tf:1-12
    	Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
    
    		1  | resource "aws_dynamodb_table" "images" {
    		2  |   name           = "images"
    		3  |   billing_mode   = "PROVISIONED"
    		4  |   read_capacity  = 5
    		5  |   write_capacity = 100
    		6  |   hash_key       = "last_modified_date"
    		7  | 
    		8  |   attribute {
    		9  |     name = "last_modified_date"
    		10 |     type = "S"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
    	FAILED for resource: aws_dynamodb_table.images
    	File: /lessons/128/terraform/3-dynamodb.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
    
    		1  | resource "aws_dynamodb_table" "images" {
    		2  |   name           = "images"
    		3  |   billing_mode   = "PROVISIONED"
    		4  |   read_capacity  = 5
    		5  |   write_capacity = 100
    		6  |   hash_key       = "last_modified_date"
    		7  | 
    		8  |   attribute {
    		9  |     name = "last_modified_date"
    		10 |     type = "S"
    		11 |   }
    		12 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		78 | resource "aws_lambda_function" "rust" {
    		79 |   function_name = "rust"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_rust.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_rust.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.rust_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:78-96
    
    		78 | resource "aws_lambda_function" "rust" {
    		79 |   function_name = "rust"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_rust.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_rust.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.rust_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		78 | resource "aws_lambda_function" "rust" {
    		79 |   function_name = "rust"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_rust.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_rust.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.rust_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		78 | resource "aws_lambda_function" "rust" {
    		79 |   function_name = "rust"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_rust.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_rust.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.rust_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		78 | resource "aws_lambda_function" "rust" {
    		79 |   function_name = "rust"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_rust.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_rust.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.rust_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		78 | resource "aws_lambda_function" "rust" {
    		79 |   function_name = "rust"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_rust.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_rust.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.rust_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:98-102
    
    		98  | resource "aws_cloudwatch_log_group" "rust" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.rust.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:98-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		98  | resource "aws_cloudwatch_log_group" "rust" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.rust.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_rust
    	File: /lessons/128/terraform/4-rust-lambda.tf:120-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		120 | resource "aws_lambda_function_url" "lambda_rust" {
    		121 |   function_name      = aws_lambda_function.rust.function_name
    		122 |   authorization_type = "NONE"
    		123 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/128/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/128/terraform/5-go-lambda.tf:78-96
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/128/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/128/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/128/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/128/terraform/5-go-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		78 | resource "aws_lambda_function" "go" {
    		79 |   function_name = "go"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "go1.x"
    		91 |   handler = "main"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.go
    	File: /lessons/128/terraform/5-go-lambda.tf:98-102
    
    		98  | resource "aws_cloudwatch_log_group" "go" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.go.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.go
    	File: /lessons/128/terraform/5-go-lambda.tf:98-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		98  | resource "aws_cloudwatch_log_group" "go" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.go.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_go
    	File: /lessons/128/terraform/5-go-lambda.tf:120-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		120 | resource "aws_lambda_function_url" "lambda_go" {
    		121 |   function_name      = aws_lambda_function.go.function_name
    		122 |   authorization_type = "NONE"
    		123 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		78 | resource "aws_lambda_function" "go_custom" {
    		79 |   function_name = "go-custom"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go_custom.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_custom_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
    
    		78 | resource "aws_lambda_function" "go_custom" {
    		79 |   function_name = "go-custom"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go_custom.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_custom_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		78 | resource "aws_lambda_function" "go_custom" {
    		79 |   function_name = "go-custom"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go_custom.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_custom_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		78 | resource "aws_lambda_function" "go_custom" {
    		79 |   function_name = "go-custom"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go_custom.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_custom_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		78 | resource "aws_lambda_function" "go_custom" {
    		79 |   function_name = "go-custom"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go_custom.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_custom_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		78 | resource "aws_lambda_function" "go_custom" {
    		79 |   function_name = "go-custom"
    		80 | 
    		81 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		82 |   s3_key    = aws_s3_object.lambda_go_custom.key
    		83 | 
    		84 |   environment {
    		85 |     variables = {
    		86 |       BUCKET_NAME = aws_s3_bucket.images_bucket.id
    		87 |     }
    		88 |   }
    		89 | 
    		90 |   runtime = "provided.al2"
    		91 |   handler = "bootstrap"
    		92 | 
    		93 |   source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
    		94 | 
    		95 |   role = aws_iam_role.go_custom_lambda_exec.arn
    		96 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:98-102
    
    		98  | resource "aws_cloudwatch_log_group" "go_custom" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.go_custom.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:98-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		98  | resource "aws_cloudwatch_log_group" "go_custom" {
    		99  |   name = "/aws/lambda/${aws_lambda_function.go_custom.function_name}"
    		100 | 
    		101 |   retention_in_days = 14
    		102 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_go_custom
    	File: /lessons/128/terraform/6-go-custom-lambda.tf:120-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		120 | resource "aws_lambda_function_url" "lambda_go_custom" {
    		121 |   function_name      = aws_lambda_function.go_custom.function_name
    		122 |   authorization_type = "NONE"
    		123 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		25 | resource "aws_lambda_function" "go_hello" {
    		26 |   function_name = "hello-world"
    		27 | 
    		28 |   memory_size = 1024
    		29 |   timeout     = 60
    		30 | 
    		31 |   s3_bucket = aws_s3_bucket.functions.id
    		32 |   s3_key    = aws_s3_object.lambda_go_hello.key
    		33 | 
    		34 |   environment {
    		35 |     variables = {
    		36 |       BUCKET_NAME = aws_s3_bucket.images.id
    		37 |     }
    		38 |   }
    		39 | 
    		40 |   runtime = "go1.x"
    		41 |   handler = "main"
    		42 | 
    		43 |   source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
    		44 | 
    		45 |   role = aws_iam_role.go_hello_lambda_exec.arn
    		46 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
    
    		25 | resource "aws_lambda_function" "go_hello" {
    		26 |   function_name = "hello-world"
    		27 | 
    		28 |   memory_size = 1024
    		29 |   timeout     = 60
    		30 | 
    		31 |   s3_bucket = aws_s3_bucket.functions.id
    		32 |   s3_key    = aws_s3_object.lambda_go_hello.key
    		33 | 
    		34 |   environment {
    		35 |     variables = {
    		36 |       BUCKET_NAME = aws_s3_bucket.images.id
    		37 |     }
    		38 |   }
    		39 | 
    		40 |   runtime = "go1.x"
    		41 |   handler = "main"
    		42 | 
    		43 |   source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
    		44 | 
    		45 |   role = aws_iam_role.go_hello_lambda_exec.arn
    		46 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		25 | resource "aws_lambda_function" "go_hello" {
    		26 |   function_name = "hello-world"
    		27 | 
    		28 |   memory_size = 1024
    		29 |   timeout     = 60
    		30 | 
    		31 |   s3_bucket = aws_s3_bucket.functions.id
    		32 |   s3_key    = aws_s3_object.lambda_go_hello.key
    		33 | 
    		34 |   environment {
    		35 |     variables = {
    		36 |       BUCKET_NAME = aws_s3_bucket.images.id
    		37 |     }
    		38 |   }
    		39 | 
    		40 |   runtime = "go1.x"
    		41 |   handler = "main"
    		42 | 
    		43 |   source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
    		44 | 
    		45 |   role = aws_iam_role.go_hello_lambda_exec.arn
    		46 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		25 | resource "aws_lambda_function" "go_hello" {
    		26 |   function_name = "hello-world"
    		27 | 
    		28 |   memory_size = 1024
    		29 |   timeout     = 60
    		30 | 
    		31 |   s3_bucket = aws_s3_bucket.functions.id
    		32 |   s3_key    = aws_s3_object.lambda_go_hello.key
    		33 | 
    		34 |   environment {
    		35 |     variables = {
    		36 |       BUCKET_NAME = aws_s3_bucket.images.id
    		37 |     }
    		38 |   }
    		39 | 
    		40 |   runtime = "go1.x"
    		41 |   handler = "main"
    		42 | 
    		43 |   source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
    		44 | 
    		45 |   role = aws_iam_role.go_hello_lambda_exec.arn
    		46 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		25 | resource "aws_lambda_function" "go_hello" {
    		26 |   function_name = "hello-world"
    		27 | 
    		28 |   memory_size = 1024
    		29 |   timeout     = 60
    		30 | 
    		31 |   s3_bucket = aws_s3_bucket.functions.id
    		32 |   s3_key    = aws_s3_object.lambda_go_hello.key
    		33 | 
    		34 |   environment {
    		35 |     variables = {
    		36 |       BUCKET_NAME = aws_s3_bucket.images.id
    		37 |     }
    		38 |   }
    		39 | 
    		40 |   runtime = "go1.x"
    		41 |   handler = "main"
    		42 | 
    		43 |   source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
    		44 | 
    		45 |   role = aws_iam_role.go_hello_lambda_exec.arn
    		46 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		25 | resource "aws_lambda_function" "go_hello" {
    		26 |   function_name = "hello-world"
    		27 | 
    		28 |   memory_size = 1024
    		29 |   timeout     = 60
    		30 | 
    		31 |   s3_bucket = aws_s3_bucket.functions.id
    		32 |   s3_key    = aws_s3_object.lambda_go_hello.key
    		33 | 
    		34 |   environment {
    		35 |     variables = {
    		36 |       BUCKET_NAME = aws_s3_bucket.images.id
    		37 |     }
    		38 |   }
    		39 | 
    		40 |   runtime = "go1.x"
    		41 |   handler = "main"
    		42 | 
    		43 |   source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
    		44 | 
    		45 |   role = aws_iam_role.go_hello_lambda_exec.arn
    		46 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:48-52
    
    		48 | resource "aws_cloudwatch_log_group" "go_hello" {
    		49 |   name = "/aws/lambda/${aws_lambda_function.go_hello.function_name}"
    		50 | 
    		51 |   retention_in_days = 14
    		52 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:48-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		48 | resource "aws_cloudwatch_log_group" "go_hello" {
    		49 |   name = "/aws/lambda/${aws_lambda_function.go_hello.function_name}"
    		50 | 
    		51 |   retention_in_days = 14
    		52 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_go_hello
    	File: /lessons/129/terraform/2-aws-hello-world-function.tf:70-73
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		70 | resource "aws_lambda_function_url" "lambda_go_hello" {
    		71 |   function_name      = aws_lambda_function.go_hello.function_name
    		72 |   authorization_type = "NONE"
    		73 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		45 | resource "aws_lambda_function" "go" {
    		46 |   function_name = "resizer"
    		47 | 
    		48 |   memory_size = 1024
    		49 |   timeout     = 60
    		50 | 
    		51 |   s3_bucket = aws_s3_bucket.functions.id
    		52 |   s3_key    = aws_s3_object.lambda_go.key
    		53 | 
    		54 |   environment {
    		55 |     variables = {
    		56 |       BUCKET_NAME = aws_s3_bucket.images.id
    		57 |     }
    		58 |   }
    		59 | 
    		60 |   runtime = "go1.x"
    		61 |   handler = "main"
    		62 | 
    		63 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		64 | 
    		65 |   role = aws_iam_role.go_lambda_exec.arn
    		66 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
    
    		45 | resource "aws_lambda_function" "go" {
    		46 |   function_name = "resizer"
    		47 | 
    		48 |   memory_size = 1024
    		49 |   timeout     = 60
    		50 | 
    		51 |   s3_bucket = aws_s3_bucket.functions.id
    		52 |   s3_key    = aws_s3_object.lambda_go.key
    		53 | 
    		54 |   environment {
    		55 |     variables = {
    		56 |       BUCKET_NAME = aws_s3_bucket.images.id
    		57 |     }
    		58 |   }
    		59 | 
    		60 |   runtime = "go1.x"
    		61 |   handler = "main"
    		62 | 
    		63 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		64 | 
    		65 |   role = aws_iam_role.go_lambda_exec.arn
    		66 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		45 | resource "aws_lambda_function" "go" {
    		46 |   function_name = "resizer"
    		47 | 
    		48 |   memory_size = 1024
    		49 |   timeout     = 60
    		50 | 
    		51 |   s3_bucket = aws_s3_bucket.functions.id
    		52 |   s3_key    = aws_s3_object.lambda_go.key
    		53 | 
    		54 |   environment {
    		55 |     variables = {
    		56 |       BUCKET_NAME = aws_s3_bucket.images.id
    		57 |     }
    		58 |   }
    		59 | 
    		60 |   runtime = "go1.x"
    		61 |   handler = "main"
    		62 | 
    		63 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		64 | 
    		65 |   role = aws_iam_role.go_lambda_exec.arn
    		66 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		45 | resource "aws_lambda_function" "go" {
    		46 |   function_name = "resizer"
    		47 | 
    		48 |   memory_size = 1024
    		49 |   timeout     = 60
    		50 | 
    		51 |   s3_bucket = aws_s3_bucket.functions.id
    		52 |   s3_key    = aws_s3_object.lambda_go.key
    		53 | 
    		54 |   environment {
    		55 |     variables = {
    		56 |       BUCKET_NAME = aws_s3_bucket.images.id
    		57 |     }
    		58 |   }
    		59 | 
    		60 |   runtime = "go1.x"
    		61 |   handler = "main"
    		62 | 
    		63 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		64 | 
    		65 |   role = aws_iam_role.go_lambda_exec.arn
    		66 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		45 | resource "aws_lambda_function" "go" {
    		46 |   function_name = "resizer"
    		47 | 
    		48 |   memory_size = 1024
    		49 |   timeout     = 60
    		50 | 
    		51 |   s3_bucket = aws_s3_bucket.functions.id
    		52 |   s3_key    = aws_s3_object.lambda_go.key
    		53 | 
    		54 |   environment {
    		55 |     variables = {
    		56 |       BUCKET_NAME = aws_s3_bucket.images.id
    		57 |     }
    		58 |   }
    		59 | 
    		60 |   runtime = "go1.x"
    		61 |   handler = "main"
    		62 | 
    		63 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		64 | 
    		65 |   role = aws_iam_role.go_lambda_exec.arn
    		66 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		45 | resource "aws_lambda_function" "go" {
    		46 |   function_name = "resizer"
    		47 | 
    		48 |   memory_size = 1024
    		49 |   timeout     = 60
    		50 | 
    		51 |   s3_bucket = aws_s3_bucket.functions.id
    		52 |   s3_key    = aws_s3_object.lambda_go.key
    		53 | 
    		54 |   environment {
    		55 |     variables = {
    		56 |       BUCKET_NAME = aws_s3_bucket.images.id
    		57 |     }
    		58 |   }
    		59 | 
    		60 |   runtime = "go1.x"
    		61 |   handler = "main"
    		62 | 
    		63 |   source_code_hash = data.archive_file.lambda_go.output_base64sha256
    		64 | 
    		65 |   role = aws_iam_role.go_lambda_exec.arn
    		66 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:68-72
    
    		68 | resource "aws_cloudwatch_log_group" "go" {
    		69 |   name = "/aws/lambda/${aws_lambda_function.go.function_name}"
    		70 | 
    		71 |   retention_in_days = 14
    		72 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:68-72
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		68 | resource "aws_cloudwatch_log_group" "go" {
    		69 |   name = "/aws/lambda/${aws_lambda_function.go.function_name}"
    		70 | 
    		71 |   retention_in_days = 14
    		72 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_go
    	File: /lessons/129/terraform/3-aws-resizer-function.tf:90-93
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		90 | resource "aws_lambda_function_url" "lambda_go" {
    		91 |   function_name      = aws_lambda_function.go.function_name
    		92 |   authorization_type = "NONE"
    		93 | }
    
    Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
    	FAILED for resource: google_storage_bucket.functions
    	File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
    
    		2 | resource "google_storage_bucket" "functions" {
    		3 |   name                        = "functions-${random_id.lesson.hex}"
    		4 |   location                    = "US-EAST4"
    		5 |   force_destroy               = true
    		6 |   uniform_bucket_level_access = true
    		7 | }
    
    Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
    	FAILED for resource: google_storage_bucket.functions
    	File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
    
    		2 | resource "google_storage_bucket" "functions" {
    		3 |   name                        = "functions-${random_id.lesson.hex}"
    		4 |   location                    = "US-EAST4"
    		5 |   force_destroy               = true
    		6 |   uniform_bucket_level_access = true
    		7 | }
    
    Check: CKV_GCP_62: "Bucket should log access"
    	FAILED for resource: google_storage_bucket.functions
    	File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
    
    		2 | resource "google_storage_bucket" "functions" {
    		3 |   name                        = "functions-${random_id.lesson.hex}"
    		4 |   location                    = "US-EAST4"
    		5 |   force_destroy               = true
    		6 |   uniform_bucket_level_access = true
    		7 | }
    
    Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
    	FAILED for resource: google_storage_bucket.images
    	File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
    
    		10 | resource "google_storage_bucket" "images" {
    		11 |   name                        = "images-${random_id.lesson.hex}"
    		12 |   location                    = "US-EAST4"
    		13 |   force_destroy               = true
    		14 |   uniform_bucket_level_access = true
    		15 | }
    
    Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
    	FAILED for resource: google_storage_bucket.images
    	File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
    
    		10 | resource "google_storage_bucket" "images" {
    		11 |   name                        = "images-${random_id.lesson.hex}"
    		12 |   location                    = "US-EAST4"
    		13 |   force_destroy               = true
    		14 |   uniform_bucket_level_access = true
    		15 | }
    
    Check: CKV_GCP_62: "Bucket should log access"
    	FAILED for resource: google_storage_bucket.images
    	File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
    
    		10 | resource "google_storage_bucket" "images" {
    		11 |   name                        = "images-${random_id.lesson.hex}"
    		12 |   location                    = "US-EAST4"
    		13 |   force_destroy               = true
    		14 |   uniform_bucket_level_access = true
    		15 | }
    
    Check: CKV_GCP_102: "Ensure that GCP Cloud Run services are not anonymously or publicly accessible"
    	FAILED for resource: google_cloud_run_service_iam_member.hello_world_member
    	File: /lessons/129/terraform/6-gcp-hello-world-function.tf:45-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-cloud-run-service-is-not-anonymously-or-publicly-accessible.html
    
    		45 | resource "google_cloud_run_service_iam_member" "hello_world_member" {
    		46 |   project  = google_cloudfunctions2_function.hello_world.project
    		47 |   location = google_cloudfunctions2_function.hello_world.location
    		48 |   service  = google_cloudfunctions2_function.hello_world.name
    		49 |   role     = "roles/run.invoker"
    		50 |   member   = "allUsers"
    		51 | }
    
    Check: CKV_GCP_102: "Ensure that GCP Cloud Run services are not anonymously or publicly accessible"
    	FAILED for resource: google_cloud_run_service_iam_member.go_member
    	File: /lessons/129/terraform/7-gcp-resizer-function.tf:52-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-cloud-run-service-is-not-anonymously-or-publicly-accessible.html
    
    		52 | resource "google_cloud_run_service_iam_member" "go_member" {
    		53 |   project  = google_cloudfunctions2_function.go.project
    		54 |   location = google_cloudfunctions2_function.go.location
    		55 |   service  = google_cloudfunctions2_function.go.name
    		56 |   role     = "roles/run.invoker"
    		57 |   member   = "allUsers"
    		58 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		1  | resource "aws_lambda_function" "go_gs" {
    		2  |   function_name = "gs-resizer"
    		3  | 
    		4  |   memory_size = 1024
    		5  |   timeout     = 60
    		6  | 
    		7  |   s3_bucket = aws_s3_bucket.functions.id
    		8  |   s3_key    = aws_s3_object.lambda_go_gs.key
    		9  | 
    		10 |   environment {
    		11 |     variables = {
    		12 |       BUCKET_NAME = google_storage_bucket.images.id
    		13 |     }
    		14 |   }
    		15 | 
    		16 |   runtime = "go1.x"
    		17 |   handler = "main"
    		18 | 
    		19 |   source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
    		20 | 
    		21 |   role = aws_iam_role.go_lambda_exec.arn
    		22 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
    
    		1  | resource "aws_lambda_function" "go_gs" {
    		2  |   function_name = "gs-resizer"
    		3  | 
    		4  |   memory_size = 1024
    		5  |   timeout     = 60
    		6  | 
    		7  |   s3_bucket = aws_s3_bucket.functions.id
    		8  |   s3_key    = aws_s3_object.lambda_go_gs.key
    		9  | 
    		10 |   environment {
    		11 |     variables = {
    		12 |       BUCKET_NAME = google_storage_bucket.images.id
    		13 |     }
    		14 |   }
    		15 | 
    		16 |   runtime = "go1.x"
    		17 |   handler = "main"
    		18 | 
    		19 |   source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
    		20 | 
    		21 |   role = aws_iam_role.go_lambda_exec.arn
    		22 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		1  | resource "aws_lambda_function" "go_gs" {
    		2  |   function_name = "gs-resizer"
    		3  | 
    		4  |   memory_size = 1024
    		5  |   timeout     = 60
    		6  | 
    		7  |   s3_bucket = aws_s3_bucket.functions.id
    		8  |   s3_key    = aws_s3_object.lambda_go_gs.key
    		9  | 
    		10 |   environment {
    		11 |     variables = {
    		12 |       BUCKET_NAME = google_storage_bucket.images.id
    		13 |     }
    		14 |   }
    		15 | 
    		16 |   runtime = "go1.x"
    		17 |   handler = "main"
    		18 | 
    		19 |   source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
    		20 | 
    		21 |   role = aws_iam_role.go_lambda_exec.arn
    		22 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		1  | resource "aws_lambda_function" "go_gs" {
    		2  |   function_name = "gs-resizer"
    		3  | 
    		4  |   memory_size = 1024
    		5  |   timeout     = 60
    		6  | 
    		7  |   s3_bucket = aws_s3_bucket.functions.id
    		8  |   s3_key    = aws_s3_object.lambda_go_gs.key
    		9  | 
    		10 |   environment {
    		11 |     variables = {
    		12 |       BUCKET_NAME = google_storage_bucket.images.id
    		13 |     }
    		14 |   }
    		15 | 
    		16 |   runtime = "go1.x"
    		17 |   handler = "main"
    		18 | 
    		19 |   source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
    		20 | 
    		21 |   role = aws_iam_role.go_lambda_exec.arn
    		22 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		1  | resource "aws_lambda_function" "go_gs" {
    		2  |   function_name = "gs-resizer"
    		3  | 
    		4  |   memory_size = 1024
    		5  |   timeout     = 60
    		6  | 
    		7  |   s3_bucket = aws_s3_bucket.functions.id
    		8  |   s3_key    = aws_s3_object.lambda_go_gs.key
    		9  | 
    		10 |   environment {
    		11 |     variables = {
    		12 |       BUCKET_NAME = google_storage_bucket.images.id
    		13 |     }
    		14 |   }
    		15 | 
    		16 |   runtime = "go1.x"
    		17 |   handler = "main"
    		18 | 
    		19 |   source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
    		20 | 
    		21 |   role = aws_iam_role.go_lambda_exec.arn
    		22 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		1  | resource "aws_lambda_function" "go_gs" {
    		2  |   function_name = "gs-resizer"
    		3  | 
    		4  |   memory_size = 1024
    		5  |   timeout     = 60
    		6  | 
    		7  |   s3_bucket = aws_s3_bucket.functions.id
    		8  |   s3_key    = aws_s3_object.lambda_go_gs.key
    		9  | 
    		10 |   environment {
    		11 |     variables = {
    		12 |       BUCKET_NAME = google_storage_bucket.images.id
    		13 |     }
    		14 |   }
    		15 | 
    		16 |   runtime = "go1.x"
    		17 |   handler = "main"
    		18 | 
    		19 |   source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
    		20 | 
    		21 |   role = aws_iam_role.go_lambda_exec.arn
    		22 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:24-28
    
    		24 | resource "aws_cloudwatch_log_group" "go_gs" {
    		25 |   name = "/aws/lambda/${aws_lambda_function.go_gs.function_name}"
    		26 | 
    		27 |   retention_in_days = 14
    		28 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:24-28
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		24 | resource "aws_cloudwatch_log_group" "go_gs" {
    		25 |   name = "/aws/lambda/${aws_lambda_function.go_gs.function_name}"
    		26 | 
    		27 |   retention_in_days = 14
    		28 | }
    
    Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
    	FAILED for resource: aws_lambda_function_url.lambda_go_gs
    	File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:46-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
    
    		46 | resource "aws_lambda_function_url" "lambda_go_gs" {
    		47 |   function_name      = aws_lambda_function.go_gs.function_name
    		48 |   authorization_type = "NONE"
    		49 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.my_app
    	File: /lessons/130/terraform/12-ec2.tf:1-28
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1  | resource "aws_security_group" "my_app" {
    		2  |   name        = "my-app"
    		3  |   description = "Allow My App Access"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     description     = "Allow Node Exporter Access"
    		8  |     from_port       = 9100
    		9  |     to_port         = 9100
    		10 |     protocol        = "tcp"
    		11 |     security_groups = [aws_eks_cluster.demo.vpc_config[0].cluster_security_group_id]
    		12 |   }
    		13 | 
    		14 |   ingress {
    		15 |     description = "Allow SSH Access"
    		16 |     from_port   = 22
    		17 |     to_port     = 22
    		18 |     protocol    = "tcp"
    		19 |     cidr_blocks = ["0.0.0.0/0"]
    		20 |   }
    		21 | 
    		22 |   egress {
    		23 |     from_port   = 0
    		24 |     to_port     = 0
    		25 |     protocol    = "-1"
    		26 |     cidr_blocks = ["0.0.0.0/0"]
    		27 |   }
    		28 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.my_app
    	File: /lessons/130/terraform/12-ec2.tf:1-28
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		1  | resource "aws_security_group" "my_app" {
    		2  |   name        = "my-app"
    		3  |   description = "Allow My App Access"
    		4  |   vpc_id      = aws_vpc.main.id
    		5  | 
    		6  |   ingress {
    		7  |     description     = "Allow Node Exporter Access"
    		8  |     from_port       = 9100
    		9  |     to_port         = 9100
    		10 |     protocol        = "tcp"
    		11 |     security_groups = [aws_eks_cluster.demo.vpc_config[0].cluster_security_group_id]
    		12 |   }
    		13 | 
    		14 |   ingress {
    		15 |     description = "Allow SSH Access"
    		16 |     from_port   = 22
    		17 |     to_port     = 22
    		18 |     protocol    = "tcp"
    		19 |     cidr_blocks = ["0.0.0.0/0"]
    		20 |   }
    		21 | 
    		22 |   egress {
    		23 |     from_port   = 0
    		24 |     to_port     = 0
    		25 |     protocol    = "-1"
    		26 |     cidr_blocks = ["0.0.0.0/0"]
    		27 |   }
    		28 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/130/terraform/12-ec2.tf:46-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		46 | resource "aws_instance" "my_app" {
    		47 |   ami                    = data.aws_ami.ubuntu.id
    		48 |   instance_type          = "t3.micro"
    		49 |   key_name               = "devops"
    		50 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		51 |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		52 | 
    		53 |   user_data = <> /etc/systemd/system/node_exporter.service
    		63 | [Unit]
    		64 | Description=Node Exporter
    		65 | Wants=network-online.target
    		66 | After=network-online.target
    		67 | 
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "My App"
    		89 |     node-exporter = "true"
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/130/terraform/12-ec2.tf:46-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		46 | resource "aws_instance" "my_app" {
    		47 |   ami                    = data.aws_ami.ubuntu.id
    		48 |   instance_type          = "t3.micro"
    		49 |   key_name               = "devops"
    		50 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		51 |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		52 | 
    		53 |   user_data = <> /etc/systemd/system/node_exporter.service
    		63 | [Unit]
    		64 | Description=Node Exporter
    		65 | Wants=network-online.target
    		66 | After=network-online.target
    		67 | 
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "My App"
    		89 |     node-exporter = "true"
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/130/terraform/12-ec2.tf:46-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		46 | resource "aws_instance" "my_app" {
    		47 |   ami                    = data.aws_ami.ubuntu.id
    		48 |   instance_type          = "t3.micro"
    		49 |   key_name               = "devops"
    		50 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		51 |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		52 | 
    		53 |   user_data = <> /etc/systemd/system/node_exporter.service
    		63 | [Unit]
    		64 | Description=Node Exporter
    		65 | Wants=network-online.target
    		66 | After=network-online.target
    		67 | 
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "My App"
    		89 |     node-exporter = "true"
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/130/terraform/12-ec2.tf:46-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		46 | resource "aws_instance" "my_app" {
    		47 |   ami                    = data.aws_ami.ubuntu.id
    		48 |   instance_type          = "t3.micro"
    		49 |   key_name               = "devops"
    		50 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		51 |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		52 | 
    		53 |   user_data = <> /etc/systemd/system/node_exporter.service
    		63 | [Unit]
    		64 | Description=Node Exporter
    		65 | Wants=network-online.target
    		66 | After=network-online.target
    		67 | 
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "My App"
    		89 |     node-exporter = "true"
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1a
    	File: /lessons/130/terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public_us_east_1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                       = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"     = "1"
    		34 |     "kubernetes.io/cluster/demo" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1b
    	File: /lessons/130/terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public_us_east_1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                       = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"     = "1"
    		47 |     "kubernetes.io/cluster/demo" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/130/terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private_us_east_1a.id,
    		32 |       aws_subnet.private_us_east_1b.id,
    		33 |       aws_subnet.public_us_east_1a.id,
    		34 |       aws_subnet.public_us_east_1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		39 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/130/terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private_us_east_1a.id,
    		32 |       aws_subnet.private_us_east_1b.id,
    		33 |       aws_subnet.public_us_east_1a.id,
    		34 |       aws_subnet.public_us_east_1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		39 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/130/terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private_us_east_1a.id,
    		32 |       aws_subnet.private_us_east_1b.id,
    		33 |       aws_subnet.public_us_east_1a.id,
    		34 |       aws_subnet.public_us_east_1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		39 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/130/terraform/6-eks.tf:25-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   role_arn = aws_iam_role.demo.arn
    		28 | 
    		29 |   vpc_config {
    		30 |     subnet_ids = [
    		31 |       aws_subnet.private_us_east_1a.id,
    		32 |       aws_subnet.private_us_east_1b.id,
    		33 |       aws_subnet.public_us_east_1a.id,
    		34 |       aws_subnet.public_us_east_1b.id
    		35 |     ]
    		36 |   }
    		37 | 
    		38 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		39 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
    	File: /lessons/130/terraform/9-prometheus.tf:1-4
    
    		1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
    		2 |   name              = "/aws/prometheus/demo"
    		3 |   retention_in_days = 14
    		4 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
    	File: /lessons/130/terraform/9-prometheus.tf:1-4
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
    		2 |   name              = "/aws/prometheus/demo"
    		3 |   retention_in_days = 14
    		4 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.prometheus_slack
    	File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		46 | resource "aws_lambda_function" "prometheus_slack" {
    		47 |   function_name = "prometheus-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_slack.arn
    		58 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.prometheus_slack
    	File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
    
    		46 | resource "aws_lambda_function" "prometheus_slack" {
    		47 |   function_name = "prometheus-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_slack.arn
    		58 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.prometheus_slack
    	File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		46 | resource "aws_lambda_function" "prometheus_slack" {
    		47 |   function_name = "prometheus-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_slack.arn
    		58 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.prometheus_slack
    	File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		46 | resource "aws_lambda_function" "prometheus_slack" {
    		47 |   function_name = "prometheus-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_slack.arn
    		58 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.prometheus_slack
    	File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		46 | resource "aws_lambda_function" "prometheus_slack" {
    		47 |   function_name = "prometheus-slack"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_slack.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_slack.arn
    		58 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_slack
    	File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:61-65
    
    		61 | resource "aws_cloudwatch_log_group" "prometheus_slack" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.prometheus_slack.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_slack
    	File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:61-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		61 | resource "aws_cloudwatch_log_group" "prometheus_slack" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.prometheus_slack.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.prometheus_pagerduty
    	File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		46 | resource "aws_lambda_function" "prometheus_pagerduty" {
    		47 |   function_name = "prometheus-pagerduty"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_pagerduty.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_pagerduty.arn
    		58 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.prometheus_pagerduty
    	File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
    
    		46 | resource "aws_lambda_function" "prometheus_pagerduty" {
    		47 |   function_name = "prometheus-pagerduty"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_pagerduty.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_pagerduty.arn
    		58 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.prometheus_pagerduty
    	File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		46 | resource "aws_lambda_function" "prometheus_pagerduty" {
    		47 |   function_name = "prometheus-pagerduty"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_pagerduty.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_pagerduty.arn
    		58 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.prometheus_pagerduty
    	File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		46 | resource "aws_lambda_function" "prometheus_pagerduty" {
    		47 |   function_name = "prometheus-pagerduty"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_pagerduty.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_pagerduty.arn
    		58 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.prometheus_pagerduty
    	File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		46 | resource "aws_lambda_function" "prometheus_pagerduty" {
    		47 |   function_name = "prometheus-pagerduty"
    		48 | 
    		49 |   s3_bucket = aws_s3_bucket.lambda_bucket.id
    		50 |   s3_key    = aws_s3_object.prometheus_pagerduty.key
    		51 | 
    		52 |   runtime = "python3.9"
    		53 |   handler = "function.lambda_handler"
    		54 | 
    		55 |   source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
    		56 | 
    		57 |   role = aws_iam_role.prometheus_pagerduty.arn
    		58 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_pagerduty
    	File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:61-65
    
    		61 | resource "aws_cloudwatch_log_group" "prometheus_pagerduty" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.prometheus_pagerduty.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_pagerduty
    	File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:61-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		61 | resource "aws_cloudwatch_log_group" "prometheus_pagerduty" {
    		62 |   name = "/aws/lambda/${aws_lambda_function.prometheus_pagerduty.function_name}"
    		63 | 
    		64 |   retention_in_days = 14
    		65 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1a
    	File: /lessons/131/terraform/3-subnet.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		1  | resource "aws_subnet" "public_us_east_1a" {
    		2  |   vpc_id                  = aws_vpc.main.id
    		3  |   cidr_block              = "10.0.0.0/19"
    		4  |   availability_zone       = "us-east-1a"
    		5  |   map_public_ip_on_launch = true
    		6  | 
    		7  |   tags = {
    		8  |     "Name" = "public-us-east-1a"
    		9  |   }
    		10 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.my_app
    	File: /lessons/131/terraform/5-ec2.tf:36-63
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		36 | resource "aws_security_group" "my_app" {
    		37 |   name        = "my-app"
    		38 |   description = "Allow My App Access"
    		39 |   vpc_id      = aws_vpc.main.id
    		40 | 
    		41 |   ingress {
    		42 |     description = "Allow SSH Access"
    		43 |     from_port   = 22
    		44 |     to_port     = 22
    		45 |     protocol    = "tcp"
    		46 |     cidr_blocks = ["0.0.0.0/0"]
    		47 |   }
    		48 | 
    		49 |   ingress {
    		50 |     description = "Allow Prometheus UI Access (only for demo)"
    		51 |     from_port   = 9090
    		52 |     to_port     = 9090
    		53 |     protocol    = "tcp"
    		54 |     cidr_blocks = ["0.0.0.0/0"]
    		55 |   }
    		56 | 
    		57 |   egress {
    		58 |     from_port   = 0
    		59 |     to_port     = 0
    		60 |     protocol    = "-1"
    		61 |     cidr_blocks = ["0.0.0.0/0"]
    		62 |   }
    		63 | }
    
    Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    	FAILED for resource: aws_security_group.my_app
    	File: /lessons/131/terraform/5-ec2.tf:36-63
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
    
    		36 | resource "aws_security_group" "my_app" {
    		37 |   name        = "my-app"
    		38 |   description = "Allow My App Access"
    		39 |   vpc_id      = aws_vpc.main.id
    		40 | 
    		41 |   ingress {
    		42 |     description = "Allow SSH Access"
    		43 |     from_port   = 22
    		44 |     to_port     = 22
    		45 |     protocol    = "tcp"
    		46 |     cidr_blocks = ["0.0.0.0/0"]
    		47 |   }
    		48 | 
    		49 |   ingress {
    		50 |     description = "Allow Prometheus UI Access (only for demo)"
    		51 |     from_port   = 9090
    		52 |     to_port     = 9090
    		53 |     protocol    = "tcp"
    		54 |     cidr_blocks = ["0.0.0.0/0"]
    		55 |   }
    		56 | 
    		57 |   egress {
    		58 |     from_port   = 0
    		59 |     to_port     = 0
    		60 |     protocol    = "-1"
    		61 |     cidr_blocks = ["0.0.0.0/0"]
    		62 |   }
    		63 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/131/terraform/5-ec2.tf:81-101
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		81  | resource "aws_instance" "my_app" {
    		82  |   ami                    = data.aws_ami.ubuntu.id
    		83  |   instance_type          = "t3.micro"
    		84  |   key_name               = "devops"
    		85  |   subnet_id              = aws_subnet.public_us_east_1a.id
    		86  |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		87  | 
    		88  |   iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
    		89  | 
    		90  |   user_data = templatefile("bootstrap.sh.tpl",
    		91  |     {
    		92  |       prometheus_ver    = "2.39.1",
    		93  |       node_exporter_ver = "1.4.0",
    		94  |       remote_write_url  = aws_prometheus_workspace.demo.prometheus_endpoint
    		95  |   })
    		96  | 
    		97  |   tags = {
    		98  |     Name          = "my-app.example.pvt"
    		99  |     node-exporter = "true"
    		100 |   }
    		101 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/131/terraform/5-ec2.tf:81-101
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		81  | resource "aws_instance" "my_app" {
    		82  |   ami                    = data.aws_ami.ubuntu.id
    		83  |   instance_type          = "t3.micro"
    		84  |   key_name               = "devops"
    		85  |   subnet_id              = aws_subnet.public_us_east_1a.id
    		86  |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		87  | 
    		88  |   iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
    		89  | 
    		90  |   user_data = templatefile("bootstrap.sh.tpl",
    		91  |     {
    		92  |       prometheus_ver    = "2.39.1",
    		93  |       node_exporter_ver = "1.4.0",
    		94  |       remote_write_url  = aws_prometheus_workspace.demo.prometheus_endpoint
    		95  |   })
    		96  | 
    		97  |   tags = {
    		98  |     Name          = "my-app.example.pvt"
    		99  |     node-exporter = "true"
    		100 |   }
    		101 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/131/terraform/5-ec2.tf:81-101
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		81  | resource "aws_instance" "my_app" {
    		82  |   ami                    = data.aws_ami.ubuntu.id
    		83  |   instance_type          = "t3.micro"
    		84  |   key_name               = "devops"
    		85  |   subnet_id              = aws_subnet.public_us_east_1a.id
    		86  |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		87  | 
    		88  |   iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
    		89  | 
    		90  |   user_data = templatefile("bootstrap.sh.tpl",
    		91  |     {
    		92  |       prometheus_ver    = "2.39.1",
    		93  |       node_exporter_ver = "1.4.0",
    		94  |       remote_write_url  = aws_prometheus_workspace.demo.prometheus_endpoint
    		95  |   })
    		96  | 
    		97  |   tags = {
    		98  |     Name          = "my-app.example.pvt"
    		99  |     node-exporter = "true"
    		100 |   }
    		101 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/131/terraform/5-ec2.tf:81-101
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		81  | resource "aws_instance" "my_app" {
    		82  |   ami                    = data.aws_ami.ubuntu.id
    		83  |   instance_type          = "t3.micro"
    		84  |   key_name               = "devops"
    		85  |   subnet_id              = aws_subnet.public_us_east_1a.id
    		86  |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		87  | 
    		88  |   iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
    		89  | 
    		90  |   user_data = templatefile("bootstrap.sh.tpl",
    		91  |     {
    		92  |       prometheus_ver    = "2.39.1",
    		93  |       node_exporter_ver = "1.4.0",
    		94  |       remote_write_url  = aws_prometheus_workspace.demo.prometheus_endpoint
    		95  |   })
    		96  | 
    		97  |   tags = {
    		98  |     Name          = "my-app.example.pvt"
    		99  |     node-exporter = "true"
    		100 |   }
    		101 | }
    
    Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
    	File: /lessons/131/terraform/6-prometheus.tf:1-4
    
    		1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
    		2 |   name              = "/aws/prometheus/demo"
    		3 |   retention_in_days = 14
    		4 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
    	File: /lessons/131/terraform/6-prometheus.tf:1-4
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
    		2 |   name              = "/aws/prometheus/demo"
    		3 |   retention_in_days = 14
    		4 | }
    
    Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
    	FAILED for resource: aws_sns_topic.alarms
    	File: /lessons/131/terraform/7-sns-topic.tf:4-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
    
    		4  | resource "aws_sns_topic" "alarms" {
    		5  |   name = "alarms"
    		6  | 
    		7  |   policy = <> /etc/systemd/system/node_exporter.service
    		64 | [Unit]
    		65 | Description=Node Exporter
    		66 | Wants=network-online.target
    		67 | After=network-online.target
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "myapp"
    		89 |     service       = "myapp"
    		90 |     node-exporter = "true"
    		91 |   }
    		92 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.test
    	File: /lessons/154/terraform/14-ec2.tf:44-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		44 | resource "aws_instance" "test" {
    		45 |   ami           = data.aws_ami.ubuntu_jammy.id
    		46 |   instance_type = "t3a.small"
    		47 |   subnet_id     = aws_subnet.public_us_east_1a.id
    		48 |   #   key_name      = "devops" # TODO: update to yours
    		49 | 
    		50 |   vpc_security_group_ids = [
    		51 |     aws_security_group.test.id
    		52 |   ]
    		53 | 
    		54 |   user_data = <> /etc/systemd/system/node_exporter.service
    		64 | [Unit]
    		65 | Description=Node Exporter
    		66 | Wants=network-online.target
    		67 | After=network-online.target
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "myapp"
    		89 |     service       = "myapp"
    		90 |     node-exporter = "true"
    		91 |   }
    		92 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.test
    	File: /lessons/154/terraform/14-ec2.tf:44-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		44 | resource "aws_instance" "test" {
    		45 |   ami           = data.aws_ami.ubuntu_jammy.id
    		46 |   instance_type = "t3a.small"
    		47 |   subnet_id     = aws_subnet.public_us_east_1a.id
    		48 |   #   key_name      = "devops" # TODO: update to yours
    		49 | 
    		50 |   vpc_security_group_ids = [
    		51 |     aws_security_group.test.id
    		52 |   ]
    		53 | 
    		54 |   user_data = <> /etc/systemd/system/node_exporter.service
    		64 | [Unit]
    		65 | Description=Node Exporter
    		66 | Wants=network-online.target
    		67 | After=network-online.target
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "myapp"
    		89 |     service       = "myapp"
    		90 |     node-exporter = "true"
    		91 |   }
    		92 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.test
    	File: /lessons/154/terraform/14-ec2.tf:44-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		44 | resource "aws_instance" "test" {
    		45 |   ami           = data.aws_ami.ubuntu_jammy.id
    		46 |   instance_type = "t3a.small"
    		47 |   subnet_id     = aws_subnet.public_us_east_1a.id
    		48 |   #   key_name      = "devops" # TODO: update to yours
    		49 | 
    		50 |   vpc_security_group_ids = [
    		51 |     aws_security_group.test.id
    		52 |   ]
    		53 | 
    		54 |   user_data = <> /etc/systemd/system/node_exporter.service
    		64 | [Unit]
    		65 | Description=Node Exporter
    		66 | Wants=network-online.target
    		67 | After=network-online.target
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "myapp"
    		89 |     service       = "myapp"
    		90 |     node-exporter = "true"
    		91 |   }
    		92 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1a
    	File: /lessons/154/terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public_us_east_1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                       = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"     = "1"
    		34 |     "kubernetes.io/cluster/demo" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1b
    	File: /lessons/154/terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public_us_east_1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                       = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"     = "1"
    		47 |     "kubernetes.io/cluster/demo" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/154/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.24"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/154/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.24"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/154/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.24"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/154/terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.24"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1a
    	File: /lessons/155/eks-terraform/3-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public_us_east_1a" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = "us-east-1a"
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                       = "public-us-east-1a"
    		33 |     "kubernetes.io/role/elb"     = "1"
    		34 |     "kubernetes.io/cluster/demo" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_us_east_1b
    	File: /lessons/155/eks-terraform/3-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public_us_east_1b" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = "us-east-1b"
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                       = "public-us-east-1b"
    		46 |     "kubernetes.io/role/elb"     = "1"
    		47 |     "kubernetes.io/cluster/demo" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/155/eks-terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.25"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/155/eks-terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.25"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/155/eks-terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.25"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.demo
    	File: /lessons/155/eks-terraform/6-eks.tf:25-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "demo" {
    		26 |   name     = "demo"
    		27 |   version  = "1.25"
    		28 |   role_arn = aws_iam_role.demo.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = [
    		32 |       aws_subnet.private_us_east_1a.id,
    		33 |       aws_subnet.private_us_east_1b.id,
    		34 |       aws_subnet.public_us_east_1a.id,
    		35 |       aws_subnet.public_us_east_1b.id
    		36 |     ]
    		37 |   }
    		38 | 
    		39 |   depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
    		40 | }
    
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy.eks_console_access
    	File: /lessons/156/terraform/11-developer-role.tf:40-67
    
    		40 | resource "aws_iam_policy" "eks_console_access" {
    		41 |   name = "EKSConsoleAccess"
    		42 | 
    		43 |   policy = < index.html
    		25 |               nohup busybox httpd -f -p ${var.server_port} &
    		26 |               EOF
    		27 | 
    		28 |   user_data_replace_on_change = true
    		29 | 
    		30 |   tags = {
    		31 |     Name = "my-ubuntu"
    		32 |   }
    		33 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.example
    	File: /lessons/164/main.tf:16-33
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		16 | resource "aws_instance" "example" {
    		17 |   ami           = "ami-0a695f0d95cefc163"
    		18 |   instance_type = "t3.micro"
    		19 | 
    		20 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		21 | 
    		22 |   user_data = <<-EOF
    		23 |               #!/bin/bash
    		24 |               echo "Hello, World" > index.html
    		25 |               nohup busybox httpd -f -p ${var.server_port} &
    		26 |               EOF
    		27 | 
    		28 |   user_data_replace_on_change = true
    		29 | 
    		30 |   tags = {
    		31 |     Name = "my-ubuntu"
    		32 |   }
    		33 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.example
    	File: /lessons/164/main.tf:16-33
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		16 | resource "aws_instance" "example" {
    		17 |   ami           = "ami-0a695f0d95cefc163"
    		18 |   instance_type = "t3.micro"
    		19 | 
    		20 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		21 | 
    		22 |   user_data = <<-EOF
    		23 |               #!/bin/bash
    		24 |               echo "Hello, World" > index.html
    		25 |               nohup busybox httpd -f -p ${var.server_port} &
    		26 |               EOF
    		27 | 
    		28 |   user_data_replace_on_change = true
    		29 | 
    		30 |   tags = {
    		31 |     Name = "my-ubuntu"
    		32 |   }
    		33 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.example
    	File: /lessons/164/main.tf:16-33
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		16 | resource "aws_instance" "example" {
    		17 |   ami           = "ami-0a695f0d95cefc163"
    		18 |   instance_type = "t3.micro"
    		19 | 
    		20 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		21 | 
    		22 |   user_data = <<-EOF
    		23 |               #!/bin/bash
    		24 |               echo "Hello, World" > index.html
    		25 |               nohup busybox httpd -f -p ${var.server_port} &
    		26 |               EOF
    		27 | 
    		28 |   user_data_replace_on_change = true
    		29 | 
    		30 |   tags = {
    		31 |     Name = "my-ubuntu"
    		32 |   }
    		33 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_launch_configuration.example
    	File: /lessons/164/main.tf:35-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		35 | resource "aws_launch_configuration" "example" {
    		36 |   image_id        = "ami-0a695f0d95cefc163"
    		37 |   instance_type   = "t3.micro"
    		38 |   security_groups = [aws_security_group.instance.id]
    		39 | 
    		40 |   user_data = <<-EOF
    		41 |               #!/bin/bash
    		42 |               echo "Hello, World" > index.html
    		43 |               nohup busybox httpd -f -p ${var.server_port} &
    		44 |               EOF
    		45 | 
    		46 |   # Required with an autoscaling group.
    		47 |   lifecycle {
    		48 |     create_before_destroy = true
    		49 |   }
    		50 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_launch_configuration.example
    	File: /lessons/164/main.tf:35-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		35 | resource "aws_launch_configuration" "example" {
    		36 |   image_id        = "ami-0a695f0d95cefc163"
    		37 |   instance_type   = "t3.micro"
    		38 |   security_groups = [aws_security_group.instance.id]
    		39 | 
    		40 |   user_data = <<-EOF
    		41 |               #!/bin/bash
    		42 |               echo "Hello, World" > index.html
    		43 |               nohup busybox httpd -f -p ${var.server_port} &
    		44 |               EOF
    		45 | 
    		46 |   # Required with an autoscaling group.
    		47 |   lifecycle {
    		48 |     create_before_destroy = true
    		49 |   }
    		50 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.instance
    	File: /lessons/164/main.tf:52-61
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		52 | resource "aws_security_group" "instance" {
    		53 |   name = "web"
    		54 | 
    		55 |   ingress {
    		56 |     from_port   = var.server_port
    		57 |     to_port     = var.server_port
    		58 |     protocol    = "tcp"
    		59 |     cidr_blocks = ["0.0.0.0/0"]
    		60 |   }
    		61 | }
    
    Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
    	FAILED for resource: aws_autoscaling_group.example
    	File: /lessons/164/main.tf:63-78
    
    		63 | resource "aws_autoscaling_group" "example" {
    		64 |   launch_configuration = aws_launch_configuration.example.name
    		65 |   vpc_zone_identifier  = data.aws_subnets.default.ids
    		66 | 
    		67 |   target_group_arns = [aws_lb_target_group.asg.arn]
    		68 |   health_check_type = "ELB"
    		69 | 
    		70 |   min_size = 2
    		71 |   max_size = 10
    		72 | 
    		73 |   tag {
    		74 |     key                 = "Name"
    		75 |     value               = "web"
    		76 |     propagate_at_launch = true
    		77 |   }
    		78 | }
    
    Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
    	FAILED for resource: aws_lb.example
    	File: /lessons/164/main.tf:80-85
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
    
    		80 | resource "aws_lb" "example" {
    		81 |   name               = "web"
    		82 |   load_balancer_type = "application"
    		83 |   subnets            = data.aws_subnets.default.ids
    		84 |   security_groups    = [aws_security_group.alb.id]
    		85 | }
    
    Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
    	FAILED for resource: aws_lb.example
    	File: /lessons/164/main.tf:80-85
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
    
    		80 | resource "aws_lb" "example" {
    		81 |   name               = "web"
    		82 |   load_balancer_type = "application"
    		83 |   subnets            = data.aws_subnets.default.ids
    		84 |   security_groups    = [aws_security_group.alb.id]
    		85 | }
    
    Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
    	FAILED for resource: aws_lb.example
    	File: /lessons/164/main.tf:80-85
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
    
    		80 | resource "aws_lb" "example" {
    		81 |   name               = "web"
    		82 |   load_balancer_type = "application"
    		83 |   subnets            = data.aws_subnets.default.ids
    		84 |   security_groups    = [aws_security_group.alb.id]
    		85 | }
    
    Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
    	FAILED for resource: aws_lb_listener.http
    	File: /lessons/164/main.tf:87-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
    
    		87  | resource "aws_lb_listener" "http" {
    		88  |   load_balancer_arn = aws_lb.example.arn
    		89  |   port              = 80
    		90  |   protocol          = "HTTP"
    		91  | 
    		92  |   # By default, it just shows a simple 404 page
    		93  |   default_action {
    		94  |     type = "fixed-response"
    		95  | 
    		96  |     fixed_response {
    		97  |       content_type = "text/plain"
    		98  |       message_body = "404: page not found"
    		99  |       status_code  = 404
    		100 |     }
    		101 |   }
    		102 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.alb
    	File: /lessons/164/main.tf:104-121
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		104 | resource "aws_security_group" "alb" {
    		105 |   name = "web-alb"
    		106 |   # Allow inbound HTTP requests
    		107 |   ingress {
    		108 |     from_port   = 80
    		109 |     to_port     = 80
    		110 |     protocol    = "tcp"
    		111 |     cidr_blocks = ["0.0.0.0/0"]
    		112 |   }
    		113 | 
    		114 |   # Allow all outbound requests
    		115 |   egress {
    		116 |     from_port   = 0
    		117 |     to_port     = 0
    		118 |     protocol    = "-1"
    		119 |     cidr_blocks = ["0.0.0.0/0"]
    		120 |   }
    		121 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group.alb
    	File: /lessons/164/main.tf:104-121
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		104 | resource "aws_security_group" "alb" {
    		105 |   name = "web-alb"
    		106 |   # Allow inbound HTTP requests
    		107 |   ingress {
    		108 |     from_port   = 80
    		109 |     to_port     = 80
    		110 |     protocol    = "tcp"
    		111 |     cidr_blocks = ["0.0.0.0/0"]
    		112 |   }
    		113 | 
    		114 |   # Allow all outbound requests
    		115 |   egress {
    		116 |     from_port   = 0
    		117 |     to_port     = 0
    		118 |     protocol    = "-1"
    		119 |     cidr_blocks = ["0.0.0.0/0"]
    		120 |   }
    		121 | }
    
    Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
    	FAILED for resource: aws_dynamodb_table.terraform_state
    	File: /lessons/165/1-example/main.tf:39-48
    	Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
    
    		39 | resource "aws_dynamodb_table" "terraform_state" {
    		40 |   name         = "terraform-state"
    		41 |   billing_mode = "PAY_PER_REQUEST"
    		42 |   hash_key     = "LockID"
    		43 | 
    		44 |   attribute {
    		45 |     name = "LockID"
    		46 |     type = "S"
    		47 |   }
    		48 | }
    
    Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
    	FAILED for resource: aws_dynamodb_table.terraform_state
    	File: /lessons/165/1-example/main.tf:39-48
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
    
    		39 | resource "aws_dynamodb_table" "terraform_state" {
    		40 |   name         = "terraform-state"
    		41 |   billing_mode = "PAY_PER_REQUEST"
    		42 |   hash_key     = "LockID"
    		43 | 
    		44 |   attribute {
    		45 |     name = "LockID"
    		46 |     type = "S"
    		47 |   }
    		48 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/3-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		5  | resource "aws_instance" "example" {
    		6  |   ami = "ami-0a695f0d95cefc163"
    		7  | 
    		8  |   instance_type = (
    		9  |     terraform.workspace == "default" ? "t3.medium" : "t3.micro"
    		10 |   )
    		11 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/3-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		5  | resource "aws_instance" "example" {
    		6  |   ami = "ami-0a695f0d95cefc163"
    		7  | 
    		8  |   instance_type = (
    		9  |     terraform.workspace == "default" ? "t3.medium" : "t3.micro"
    		10 |   )
    		11 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/3-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		5  | resource "aws_instance" "example" {
    		6  |   ami = "ami-0a695f0d95cefc163"
    		7  | 
    		8  |   instance_type = (
    		9  |     terraform.workspace == "default" ? "t3.medium" : "t3.micro"
    		10 |   )
    		11 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/3-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		5  | resource "aws_instance" "example" {
    		6  |   ami = "ami-0a695f0d95cefc163"
    		7  | 
    		8  |   instance_type = (
    		9  |     terraform.workspace == "default" ? "t3.medium" : "t3.micro"
    		10 |   )
    		11 | }
    
    Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
    	FAILED for resource: aws_dynamodb_table.terraform_state
    	File: /lessons/165/global/s3/main.tf:39-48
    	Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
    
    		39 | resource "aws_dynamodb_table" "terraform_state" {
    		40 |   name         = "terraform-state"
    		41 |   billing_mode = "PAY_PER_REQUEST"
    		42 |   hash_key     = "LockID"
    		43 | 
    		44 |   attribute {
    		45 |     name = "LockID"
    		46 |     type = "S"
    		47 |   }
    		48 | }
    
    Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
    	FAILED for resource: aws_dynamodb_table.terraform_state
    	File: /lessons/165/global/s3/main.tf:39-48
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
    
    		39 | resource "aws_dynamodb_table" "terraform_state" {
    		40 |   name         = "terraform-state"
    		41 |   billing_mode = "PAY_PER_REQUEST"
    		42 |   hash_key     = "LockID"
    		43 | 
    		44 |   attribute {
    		45 |     name = "LockID"
    		46 |     type = "S"
    		47 |   }
    		48 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/infra/main.tf:5-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		5 | resource "aws_instance" "example" {
    		6 |   ami           = "ami-0a695f0d95cefc163"
    		7 |   instance_type = "t3.micro"
    		8 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/infra/main.tf:5-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		5 | resource "aws_instance" "example" {
    		6 |   ami           = "ami-0a695f0d95cefc163"
    		7 |   instance_type = "t3.micro"
    		8 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/infra/main.tf:5-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		5 | resource "aws_instance" "example" {
    		6 |   ami           = "ami-0a695f0d95cefc163"
    		7 |   instance_type = "t3.micro"
    		8 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/infra/main.tf:5-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		5 | resource "aws_instance" "example" {
    		6 |   ami           = "ami-0a695f0d95cefc163"
    		7 |   instance_type = "t3.micro"
    		8 | }
    
    Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.instance
    	File: /lessons/165/staging/services/web/main.tf:11-20
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		11 | resource "aws_security_group" "instance" {
    		12 |   name = "web"
    		13 | 
    		14 |   ingress {
    		15 |     from_port   = var.server_port
    		16 |     to_port     = var.server_port
    		17 |     protocol    = "tcp"
    		18 |     cidr_blocks = ["0.0.0.0/0"]
    		19 |   }
    		20 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/staging/services/web/main.tf:22-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		22 | resource "aws_instance" "example" {
    		23 |   ami           = "ami-0a695f0d95cefc163"
    		24 |   instance_type = "t3.micro"
    		25 | 
    		26 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		27 | 
    		28 |   user_data = templatefile("user-data.sh", {
    		29 |     server_port      = var.server_port
    		30 |     postgres_address = data.terraform_remote_state.postgres.outputs.address
    		31 |     postgres_port    = data.terraform_remote_state.postgres.outputs.port
    		32 |   })
    		33 | 
    		34 |   user_data_replace_on_change = true
    		35 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/staging/services/web/main.tf:22-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		22 | resource "aws_instance" "example" {
    		23 |   ami           = "ami-0a695f0d95cefc163"
    		24 |   instance_type = "t3.micro"
    		25 | 
    		26 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		27 | 
    		28 |   user_data = templatefile("user-data.sh", {
    		29 |     server_port      = var.server_port
    		30 |     postgres_address = data.terraform_remote_state.postgres.outputs.address
    		31 |     postgres_port    = data.terraform_remote_state.postgres.outputs.port
    		32 |   })
    		33 | 
    		34 |   user_data_replace_on_change = true
    		35 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/staging/services/web/main.tf:22-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		22 | resource "aws_instance" "example" {
    		23 |   ami           = "ami-0a695f0d95cefc163"
    		24 |   instance_type = "t3.micro"
    		25 | 
    		26 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		27 | 
    		28 |   user_data = templatefile("user-data.sh", {
    		29 |     server_port      = var.server_port
    		30 |     postgres_address = data.terraform_remote_state.postgres.outputs.address
    		31 |     postgres_port    = data.terraform_remote_state.postgres.outputs.port
    		32 |   })
    		33 | 
    		34 |   user_data_replace_on_change = true
    		35 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/staging/services/web/main.tf:22-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		22 | resource "aws_instance" "example" {
    		23 |   ami           = "ami-0a695f0d95cefc163"
    		24 |   instance_type = "t3.micro"
    		25 | 
    		26 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		27 | 
    		28 |   user_data = templatefile("user-data.sh", {
    		29 |     server_port      = var.server_port
    		30 |     postgres_address = data.terraform_remote_state.postgres.outputs.address
    		31 |     postgres_port    = data.terraform_remote_state.postgres.outputs.port
    		32 |   })
    		33 | 
    		34 |   user_data_replace_on_change = true
    		35 | }
    
    Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
    	FAILED for resource: aws_apigatewayv2_stage.dev
    	File: /lessons/167/terraform/11-api-gateway.tf:6-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
    
    		6  | resource "aws_apigatewayv2_stage" "dev" {
    		7  |   api_id = aws_apigatewayv2_api.main.id
    		8  | 
    		9  |   name        = "dev"
    		10 |   auto_deploy = true
    		11 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group.vpc_link
    	File: /lessons/167/terraform/12-integration.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1  | resource "aws_security_group" "vpc_link" {
    		2  |   name   = "vpc-link"
    		3  |   vpc_id = module.vpc.vpc_id
    		4  | 
    		5  |   egress {
    		6  |     from_port   = 0
    		7  |     to_port     = 0
    		8  |     protocol    = "-1"
    		9  |     cidr_blocks = ["0.0.0.0/0"]
    		10 |   }
    		11 | }
    
    Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
    	FAILED for resource: aws_apigatewayv2_route.get_echo
    	File: /lessons/167/terraform/12-integration.tf:29-34
    
    		29 | resource "aws_apigatewayv2_route" "get_echo" {
    		30 |   api_id = aws_apigatewayv2_api.main.id
    		31 | 
    		32 |   route_key = "GET /echo"
    		33 |   target    = "integrations/${aws_apigatewayv2_integration.eks.id}"
    		34 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.this
    	File: /lessons/167/terraform/3-eks.tf:25-38
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "this" {
    		26 |   name     = var.eks_cluster_name
    		27 |   version  = "1.27"
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = concat(
    		32 |       module.vpc.private_subnets,
    		33 |       module.vpc.public_subnets
    		34 |     )
    		35 |   }
    		36 | 
    		37 |   depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
    		38 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.this
    	File: /lessons/167/terraform/3-eks.tf:25-38
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "this" {
    		26 |   name     = var.eks_cluster_name
    		27 |   version  = "1.27"
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = concat(
    		32 |       module.vpc.private_subnets,
    		33 |       module.vpc.public_subnets
    		34 |     )
    		35 |   }
    		36 | 
    		37 |   depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
    		38 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.this
    	File: /lessons/167/terraform/3-eks.tf:25-38
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "this" {
    		26 |   name     = var.eks_cluster_name
    		27 |   version  = "1.27"
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = concat(
    		32 |       module.vpc.private_subnets,
    		33 |       module.vpc.public_subnets
    		34 |     )
    		35 |   }
    		36 | 
    		37 |   depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
    		38 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.this
    	File: /lessons/167/terraform/3-eks.tf:25-38
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "this" {
    		26 |   name     = var.eks_cluster_name
    		27 |   version  = "1.27"
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     subnet_ids = concat(
    		32 |       module.vpc.private_subnets,
    		33 |       module.vpc.public_subnets
    		34 |     )
    		35 |   }
    		36 | 
    		37 |   depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
    		38 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.allow_web
    	File: /lessons/167/terraform/5-sg.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		1 | resource "aws_security_group_rule" "allow_web" {
    		2 |   type              = "ingress"
    		3 |   from_port         = 80
    		4 |   to_port           = 80
    		5 |   protocol          = "tcp"
    		6 |   cidr_blocks       = ["0.0.0.0/0"]
    		7 |   security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
    		8 | }
    
    Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
    	FAILED for resource: aws_security_group_rule.allow_web
    	File: /lessons/167/terraform/5-sg.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
    
    		1 | resource "aws_security_group_rule" "allow_web" {
    		2 |   type              = "ingress"
    		3 |   from_port         = 80
    		4 |   to_port           = 80
    		5 |   protocol          = "tcp"
    		6 |   cidr_blocks       = ["0.0.0.0/0"]
    		7 |   security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
    		8 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.allow_web_node_port
    	File: /lessons/167/terraform/5-sg.tf:10-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		10 | resource "aws_security_group_rule" "allow_web_node_port" {
    		11 |   type              = "ingress"
    		12 |   from_port         = 30010
    		13 |   to_port           = 30010
    		14 |   protocol          = "tcp"
    		15 |   cidr_blocks       = ["0.0.0.0/0"]
    		16 |   security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
    		17 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_zone1
    	File: /lessons/175/terraform/4-subnets.tf:25-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		25 | resource "aws_subnet" "public_zone1" {
    		26 |   vpc_id                  = aws_vpc.main.id
    		27 |   cidr_block              = "10.0.64.0/19"
    		28 |   availability_zone       = local.zone1
    		29 |   map_public_ip_on_launch = true
    		30 | 
    		31 |   tags = {
    		32 |     "Name"                                                 = "${local.env}-public-${local.zone1}"
    		33 |     "kubernetes.io/role/elb"                               = "1"
    		34 |     "kubernetes.io/cluster/${local.env}-${local.eks_name}" = "owned"
    		35 |   }
    		36 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.public_zone2
    	File: /lessons/175/terraform/4-subnets.tf:38-49
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		38 | resource "aws_subnet" "public_zone2" {
    		39 |   vpc_id                  = aws_vpc.main.id
    		40 |   cidr_block              = "10.0.96.0/19"
    		41 |   availability_zone       = local.zone2
    		42 |   map_public_ip_on_launch = true
    		43 | 
    		44 |   tags = {
    		45 |     "Name"                                                 = "${local.env}-public-${local.zone2}"
    		46 |     "kubernetes.io/role/elb"                               = "1"
    		47 |     "kubernetes.io/cluster/${local.env}-${local.eks_name}" = "owned"
    		48 |   }
    		49 | }
    
    Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/175/terraform/7-eks.tf:25-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
    
    		25 | resource "aws_eks_cluster" "eks" {
    		26 |   name     = "${local.env}-${local.eks_name}"
    		27 |   version  = local.eks_version
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     endpoint_private_access = false
    		32 |     endpoint_public_access  = true
    		33 | 
    		34 |     subnet_ids = [
    		35 |       aws_subnet.private_zone1.id,
    		36 |       aws_subnet.private_zone2.id
    		37 |     ]
    		38 |   }
    		39 | 
    		40 |   depends_on = [aws_iam_role_policy_attachment.eks]
    		41 | }
    
    Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/175/terraform/7-eks.tf:25-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
    
    		25 | resource "aws_eks_cluster" "eks" {
    		26 |   name     = "${local.env}-${local.eks_name}"
    		27 |   version  = local.eks_version
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     endpoint_private_access = false
    		32 |     endpoint_public_access  = true
    		33 | 
    		34 |     subnet_ids = [
    		35 |       aws_subnet.private_zone1.id,
    		36 |       aws_subnet.private_zone2.id
    		37 |     ]
    		38 |   }
    		39 | 
    		40 |   depends_on = [aws_iam_role_policy_attachment.eks]
    		41 | }
    
    Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/175/terraform/7-eks.tf:25-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
    
    		25 | resource "aws_eks_cluster" "eks" {
    		26 |   name     = "${local.env}-${local.eks_name}"
    		27 |   version  = local.eks_version
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     endpoint_private_access = false
    		32 |     endpoint_public_access  = true
    		33 | 
    		34 |     subnet_ids = [
    		35 |       aws_subnet.private_zone1.id,
    		36 |       aws_subnet.private_zone2.id
    		37 |     ]
    		38 |   }
    		39 | 
    		40 |   depends_on = [aws_iam_role_policy_attachment.eks]
    		41 | }
    
    Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
    	FAILED for resource: aws_eks_cluster.eks
    	File: /lessons/175/terraform/7-eks.tf:25-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
    
    		25 | resource "aws_eks_cluster" "eks" {
    		26 |   name     = "${local.env}-${local.eks_name}"
    		27 |   version  = local.eks_version
    		28 |   role_arn = aws_iam_role.eks.arn
    		29 | 
    		30 |   vpc_config {
    		31 |     endpoint_private_access = false
    		32 |     endpoint_public_access  = true
    		33 | 
    		34 |     subnet_ids = [
    		35 |       aws_subnet.private_zone1.id,
    		36 |       aws_subnet.private_zone2.id
    		37 |     ]
    		38 |   }
    		39 | 
    		40 |   depends_on = [aws_iam_role_policy_attachment.eks]
    		41 | }
    
    Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
    	FAILED for resource: google_compute_network.main
    	File: /lessons/120/terraform/2-vpc.tf:9-16
    
    		9  | resource "google_compute_network" "main" {
    		10 |   name                            = "main"
    		11 |   routing_mode                    = "REGIONAL"
    		12 |   auto_create_subnetworks         = false
    		13 |   delete_default_routes_on_create = true
    		14 | 
    		15 |   depends_on = [google_project_service.compute]
    		16 | }
    
    Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
    	FAILED for resource: google_compute_network.main
    	File: /lessons/132/terraform/2-vpc.tf:1-10
    
    		1  | resource "google_compute_network" "main" {
    		2  |   name                            = "main"
    		3  |   routing_mode                    = "REGIONAL"
    		4  |   auto_create_subnetworks         = false
    		5  |   delete_default_routes_on_create = true
    		6  | 
    		7  |   depends_on = [
    		8  |     google_project_service.api
    		9  |   ]
    		10 | }
    
    Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
    	FAILED for resource: google_project.host-staging
    	File: /lessons/069/terraform/2-projects.tf:2-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
    
    		2 | resource "google_project" "host-staging" {
    		3 |   name                = local.host_project_name
    		4 |   project_id          = local.host_project_id
    		5 |   billing_account     = local.billing_account
    		6 |   org_id              = local.org_id
    		7 |   auto_create_network = false
    		8 | }
    
    Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
    	FAILED for resource: google_project.k8s-staging
    	File: /lessons/069/terraform/2-projects.tf:11-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
    
    		11 | resource "google_project" "k8s-staging" {
    		12 |   name                = local.service_project_name
    		13 |   project_id          = local.service_project_id
    		14 |   billing_account     = local.billing_account
    		15 |   org_id              = local.org_id
    		16 |   auto_create_network = false
    		17 | }
    
    Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
    	FAILED for resource: google_project.antonputra_host
    	File: /lessons/148/terraform/1-projects.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
    
    		5  | resource "google_project" "antonputra_host" {
    		6  |   name                = "antonputra-host"
    		7  |   project_id          = "antonputra-host-${random_id.lesson_id.dec}"
    		8  |   billing_account     = "01FDA3-9697F3-6F05B8"
    		9  |   org_id              = "206720471760"
    		10 |   auto_create_network = false
    		11 | }
    
    Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
    	FAILED for resource: google_project.antonputra_service
    	File: /lessons/148/terraform/1-projects.tf:13-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
    
    		13 | resource "google_project" "antonputra_service" {
    		14 |   name                = "antonputra-service"
    		15 |   project_id          = "antonputra-service-${random_id.lesson_id.dec}"
    		16 |   billing_account     = "01FDA3-9697F3-6F05B8"
    		17 |   org_id              = "206720471760"
    		18 |   auto_create_network = false
    		19 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.test
    	File: /lessons/115/terraform/5-test-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		6 | resource "aws_s3_bucket" "test" {
    		7 |   bucket        = random_pet.test_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/124/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/126/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/128/terraform/2-images-bucket.tf:7-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		7  | resource "aws_s3_bucket" "images_bucket" {
    		8  |   bucket        = "images-${random_id.server.hex}"
    		9  |   force_destroy = true
    		10 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.functions
    	File: /lessons/129/terraform/1-aws-buckets.tf:2-5
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		2 | resource "aws_s3_bucket" "functions" {
    		3 |   bucket        = "functions-${random_id.lesson.hex}"
    		4 |   force_destroy = true
    		5 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.images
    	File: /lessons/129/terraform/1-aws-buckets.tf:18-21
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		18 | resource "aws_s3_bucket" "images" {
    		19 |   bucket        = "images-${random_id.lesson.hex}"
    		20 |   force_destroy = true
    		21 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/1-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/global/s3/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.test
    	File: /lessons/115/terraform/5-test-bucket.tf:6-9
    
    		6 | resource "aws_s3_bucket" "test" {
    		7 |   bucket        = random_pet.test_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/124/terraform/2-images-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/126/terraform/2-images-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/128/terraform/2-images-bucket.tf:7-10
    
    		7  | resource "aws_s3_bucket" "images_bucket" {
    		8  |   bucket        = "images-${random_id.server.hex}"
    		9  |   force_destroy = true
    		10 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.functions
    	File: /lessons/129/terraform/1-aws-buckets.tf:2-5
    
    		2 | resource "aws_s3_bucket" "functions" {
    		3 |   bucket        = "functions-${random_id.lesson.hex}"
    		4 |   force_destroy = true
    		5 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.images
    	File: /lessons/129/terraform/1-aws-buckets.tf:18-21
    
    		18 | resource "aws_s3_bucket" "images" {
    		19 |   bucket        = "images-${random_id.lesson.hex}"
    		20 |   force_destroy = true
    		21 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/1-example/main.tf:5-11
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/global/s3/main.tf:5-11
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
    	FAILED for resource: aws_dynamodb_table.meta
    	File: /lessons/124/terraform/3-dynamodb.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
    
    		1  | resource "aws_dynamodb_table" "meta" {
    		2  |   name           = "Meta"
    		3  |   billing_mode   = "PROVISIONED"
    		4  |   read_capacity  = 5
    		5  |   write_capacity = 5
    		6  |   hash_key       = "LastModified"
    		7  | 
    		8  |   attribute {
    		9  |     name = "LastModified"
    		10 |     type = "S"
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
    	FAILED for resource: aws_dynamodb_table.meta
    	File: /lessons/126/terraform/3-dynamodb.tf:2-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
    
    		2  | resource "aws_dynamodb_table" "meta" {
    		3  |   name           = "Meta"
    		4  |   billing_mode   = "PROVISIONED"
    		5  |   read_capacity  = 5
    		6  |   write_capacity = 1000
    		7  |   hash_key       = "LastModified"
    		8  | 
    		9  |   attribute {
    		10 |     name = "LastModified"
    		11 |     type = "S"
    		12 |   }
    		13 | }
    
    Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
    	FAILED for resource: aws_dynamodb_table.images
    	File: /lessons/128/terraform/3-dynamodb.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
    
    		1  | resource "aws_dynamodb_table" "images" {
    		2  |   name           = "images"
    		3  |   billing_mode   = "PROVISIONED"
    		4  |   read_capacity  = 5
    		5  |   write_capacity = 100
    		6  |   hash_key       = "last_modified_date"
    		7  | 
    		8  |   attribute {
    		9  |     name = "last_modified_date"
    		10 |     type = "S"
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/1-part/3-rds.tf:1-14
    
    		1  | resource "aws_db_instance" "mydb" {
    		2  |   db_name           = "mydb"
    		3  |   engine            = "postgres"
    		4  |   engine_version    = "15"
    		5  |   instance_class    = "db.t4g.micro"
    		6  |   allocated_storage = 10
    		7  | 
    		8  |   publicly_accessible  = true
    		9  |   skip_final_snapshot  = true
    		10 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		11 | 
    		12 |   username = "root"
    		13 |   password = "devops123"
    		14 | }
    
    Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/2-part/3-rds.tf:1-14
    
    		1  | resource "aws_db_instance" "mydb" {
    		2  |   db_name           = "mydb"
    		3  |   engine            = "postgres"
    		4  |   engine_version    = "15"
    		5  |   instance_class    = "db.t4g.micro"
    		6  |   allocated_storage = 10
    		7  | 
    		8  |   publicly_accessible  = true
    		9  |   skip_final_snapshot  = true
    		10 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		11 | 
    		12 |   username = var.username
    		13 |   password = var.password
    		14 | }
    
    Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/3-part/3-rds.tf:12-25
    
    		12 | resource "aws_db_instance" "mydb" {
    		13 |   db_name           = "mydb"
    		14 |   engine            = "postgres"
    		15 |   engine_version    = "15"
    		16 |   instance_class    = "db.t4g.micro"
    		17 |   allocated_storage = 10
    		18 | 
    		19 |   publicly_accessible  = true
    		20 |   skip_final_snapshot  = true
    		21 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		22 | 
    		23 |   username = local.db_creds.username
    		24 |   password = local.db_creds.password
    		25 | }
    
    Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/5-part/3-rds.tf:11-24
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   publicly_accessible  = true
    		19 |   skip_final_snapshot  = true
    		20 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		21 | 
    		22 |   username = local.db_creds.username
    		23 |   password = local.db_creds.password
    		24 | }
    
    Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.private
    	File: /lessons/089/terraform/5-routes.tf:3-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		3  | resource "aws_route_table" "private" {
    		4  |   vpc_id = aws_vpc.main.id
    		5  | 
    		6  |   route = [
    		7  |     {
    		8  |       cidr_block                 = "0.0.0.0/0"
    		9  |       nat_gateway_id             = aws_nat_gateway.nat.id
    		10 |       carrier_gateway_id         = ""
    		11 |       destination_prefix_list_id = ""
    		12 |       egress_only_gateway_id     = ""
    		13 |       gateway_id                 = ""
    		14 |       instance_id                = ""
    		15 |       ipv6_cidr_block            = ""
    		16 |       local_gateway_id           = ""
    		17 |       network_interface_id       = ""
    		18 |       transit_gateway_id         = ""
    		19 |       vpc_endpoint_id            = ""
    		20 |       vpc_peering_connection_id  = ""
    		21 |     },
    		22 |   ]
    		23 | 
    		24 |   tags = {
    		25 |     Name = "private"
    		26 |   }
    		27 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.public
    	File: /lessons/089/terraform/5-routes.tf:29-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		29 | resource "aws_route_table" "public" {
    		30 |   vpc_id = aws_vpc.main.id
    		31 | 
    		32 |   route = [
    		33 |     {
    		34 |       cidr_block                 = "0.0.0.0/0"
    		35 |       gateway_id                 = aws_internet_gateway.igw.id
    		36 |       nat_gateway_id             = ""
    		37 |       carrier_gateway_id         = ""
    		38 |       destination_prefix_list_id = ""
    		39 |       egress_only_gateway_id     = ""
    		40 |       instance_id                = ""
    		41 |       ipv6_cidr_block            = ""
    		42 |       local_gateway_id           = ""
    		43 |       network_interface_id       = ""
    		44 |       transit_gateway_id         = ""
    		45 |       vpc_endpoint_id            = ""
    		46 |       vpc_peering_connection_id  = ""
    		47 |     },
    		48 |   ]
    		49 | 
    		50 |   tags = {
    		51 |     Name = "public"
    		52 |   }
    		53 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.private
    	File: /lessons/090/terraform/5-routes.tf:3-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		3  | resource "aws_route_table" "private" {
    		4  |   vpc_id = aws_vpc.main.id
    		5  | 
    		6  |   route = [
    		7  |     {
    		8  |       cidr_block                 = "0.0.0.0/0"
    		9  |       nat_gateway_id             = aws_nat_gateway.nat.id
    		10 |       carrier_gateway_id         = ""
    		11 |       destination_prefix_list_id = ""
    		12 |       egress_only_gateway_id     = ""
    		13 |       gateway_id                 = ""
    		14 |       instance_id                = ""
    		15 |       ipv6_cidr_block            = ""
    		16 |       local_gateway_id           = ""
    		17 |       network_interface_id       = ""
    		18 |       transit_gateway_id         = ""
    		19 |       vpc_endpoint_id            = ""
    		20 |       vpc_peering_connection_id  = ""
    		21 |     },
    		22 |   ]
    		23 | 
    		24 |   tags = {
    		25 |     Name = "private"
    		26 |   }
    		27 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.public
    	File: /lessons/090/terraform/5-routes.tf:29-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		29 | resource "aws_route_table" "public" {
    		30 |   vpc_id = aws_vpc.main.id
    		31 | 
    		32 |   route = [
    		33 |     {
    		34 |       cidr_block                 = "0.0.0.0/0"
    		35 |       gateway_id                 = aws_internet_gateway.igw.id
    		36 |       nat_gateway_id             = ""
    		37 |       carrier_gateway_id         = ""
    		38 |       destination_prefix_list_id = ""
    		39 |       egress_only_gateway_id     = ""
    		40 |       instance_id                = ""
    		41 |       ipv6_cidr_block            = ""
    		42 |       local_gateway_id           = ""
    		43 |       network_interface_id       = ""
    		44 |       transit_gateway_id         = ""
    		45 |       vpc_endpoint_id            = ""
    		46 |       vpc_peering_connection_id  = ""
    		47 |     },
    		48 |   ]
    		49 | 
    		50 |   tags = {
    		51 |     Name = "public"
    		52 |   }
    		53 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.private
    	File: /lessons/091/terraform/5-routes.tf:3-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		3  | resource "aws_route_table" "private" {
    		4  |   vpc_id = aws_vpc.main.id
    		5  | 
    		6  |   route = [
    		7  |     {
    		8  |       cidr_block                 = "0.0.0.0/0"
    		9  |       nat_gateway_id             = aws_nat_gateway.nat.id
    		10 |       carrier_gateway_id         = ""
    		11 |       destination_prefix_list_id = ""
    		12 |       egress_only_gateway_id     = ""
    		13 |       gateway_id                 = ""
    		14 |       instance_id                = ""
    		15 |       ipv6_cidr_block            = ""
    		16 |       local_gateway_id           = ""
    		17 |       network_interface_id       = ""
    		18 |       transit_gateway_id         = ""
    		19 |       vpc_endpoint_id            = ""
    		20 |       vpc_peering_connection_id  = ""
    		21 |     },
    		22 |   ]
    		23 | 
    		24 |   tags = {
    		25 |     Name = "private"
    		26 |   }
    		27 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.public
    	File: /lessons/091/terraform/5-routes.tf:29-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		29 | resource "aws_route_table" "public" {
    		30 |   vpc_id = aws_vpc.main.id
    		31 | 
    		32 |   route = [
    		33 |     {
    		34 |       cidr_block                 = "0.0.0.0/0"
    		35 |       gateway_id                 = aws_internet_gateway.igw.id
    		36 |       nat_gateway_id             = ""
    		37 |       carrier_gateway_id         = ""
    		38 |       destination_prefix_list_id = ""
    		39 |       egress_only_gateway_id     = ""
    		40 |       instance_id                = ""
    		41 |       ipv6_cidr_block            = ""
    		42 |       local_gateway_id           = ""
    		43 |       network_interface_id       = ""
    		44 |       transit_gateway_id         = ""
    		45 |       vpc_endpoint_id            = ""
    		46 |       vpc_peering_connection_id  = ""
    		47 |     },
    		48 |   ]
    		49 | 
    		50 |   tags = {
    		51 |     Name = "public"
    		52 |   }
    		53 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.private
    	File: /lessons/099/terraform/5-routes.tf:3-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		3  | resource "aws_route_table" "private" {
    		4  |   vpc_id = aws_vpc.main.id
    		5  | 
    		6  |   route = [
    		7  |     {
    		8  |       cidr_block                 = "0.0.0.0/0"
    		9  |       nat_gateway_id             = aws_nat_gateway.nat.id
    		10 |       carrier_gateway_id         = ""
    		11 |       destination_prefix_list_id = ""
    		12 |       egress_only_gateway_id     = ""
    		13 |       gateway_id                 = ""
    		14 |       instance_id                = ""
    		15 |       ipv6_cidr_block            = ""
    		16 |       local_gateway_id           = ""
    		17 |       network_interface_id       = ""
    		18 |       transit_gateway_id         = ""
    		19 |       vpc_endpoint_id            = ""
    		20 |       vpc_peering_connection_id  = ""
    		21 |     },
    		22 |   ]
    		23 | 
    		24 |   tags = {
    		25 |     Name = "private"
    		26 |   }
    		27 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.public
    	File: /lessons/099/terraform/5-routes.tf:29-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		29 | resource "aws_route_table" "public" {
    		30 |   vpc_id = aws_vpc.main.id
    		31 | 
    		32 |   route = [
    		33 |     {
    		34 |       cidr_block                 = "0.0.0.0/0"
    		35 |       gateway_id                 = aws_internet_gateway.igw.id
    		36 |       nat_gateway_id             = ""
    		37 |       carrier_gateway_id         = ""
    		38 |       destination_prefix_list_id = ""
    		39 |       egress_only_gateway_id     = ""
    		40 |       instance_id                = ""
    		41 |       ipv6_cidr_block            = ""
    		42 |       local_gateway_id           = ""
    		43 |       network_interface_id       = ""
    		44 |       transit_gateway_id         = ""
    		45 |       vpc_endpoint_id            = ""
    		46 |       vpc_peering_connection_id  = ""
    		47 |     },
    		48 |   ]
    		49 | 
    		50 |   tags = {
    		51 |     Name = "public"
    		52 |   }
    		53 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.private
    	File: /lessons/102/terraform/5-routes.tf:1-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		1  | resource "aws_route_table" "private" {
    		2  |   vpc_id = aws_vpc.main.id
    		3  | 
    		4  |   route = [
    		5  |     {
    		6  |       cidr_block                 = "0.0.0.0/0"
    		7  |       nat_gateway_id             = aws_nat_gateway.nat.id
    		8  |       carrier_gateway_id         = ""
    		9  |       destination_prefix_list_id = ""
    		10 |       egress_only_gateway_id     = ""
    		11 |       gateway_id                 = ""
    		12 |       instance_id                = ""
    		13 |       ipv6_cidr_block            = ""
    		14 |       local_gateway_id           = ""
    		15 |       network_interface_id       = ""
    		16 |       transit_gateway_id         = ""
    		17 |       vpc_endpoint_id            = ""
    		18 |       vpc_peering_connection_id  = ""
    		19 |     },
    		20 |   ]
    		21 | 
    		22 |   tags = {
    		23 |     Name = "private"
    		24 |   }
    		25 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.public
    	File: /lessons/102/terraform/5-routes.tf:27-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		27 | resource "aws_route_table" "public" {
    		28 |   vpc_id = aws_vpc.main.id
    		29 | 
    		30 |   route = [
    		31 |     {
    		32 |       cidr_block                 = "0.0.0.0/0"
    		33 |       gateway_id                 = aws_internet_gateway.igw.id
    		34 |       nat_gateway_id             = ""
    		35 |       carrier_gateway_id         = ""
    		36 |       destination_prefix_list_id = ""
    		37 |       egress_only_gateway_id     = ""
    		38 |       instance_id                = ""
    		39 |       ipv6_cidr_block            = ""
    		40 |       local_gateway_id           = ""
    		41 |       network_interface_id       = ""
    		42 |       transit_gateway_id         = ""
    		43 |       vpc_endpoint_id            = ""
    		44 |       vpc_peering_connection_id  = ""
    		45 |     },
    		46 |   ]
    		47 | 
    		48 |   tags = {
    		49 |     Name = "public"
    		50 |   }
    		51 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.public
    	File: /lessons/104/terraform/4-routes.tf:1-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		1  | resource "aws_route_table" "public" {
    		2  |   vpc_id = aws_vpc.main.id
    		3  | 
    		4  |   route = [
    		5  |     {
    		6  |       cidr_block                 = "0.0.0.0/0"
    		7  |       gateway_id                 = aws_internet_gateway.igw.id
    		8  |       nat_gateway_id             = ""
    		9  |       carrier_gateway_id         = ""
    		10 |       destination_prefix_list_id = ""
    		11 |       egress_only_gateway_id     = ""
    		12 |       instance_id                = ""
    		13 |       ipv6_cidr_block            = ""
    		14 |       local_gateway_id           = ""
    		15 |       network_interface_id       = ""
    		16 |       transit_gateway_id         = ""
    		17 |       vpc_endpoint_id            = ""
    		18 |       vpc_peering_connection_id  = ""
    		19 |     },
    		20 |   ]
    		21 | 
    		22 |   tags = {
    		23 |     Name = "public"
    		24 |   }
    		25 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.private
    	File: /lessons/105/aws-terraform/5-routes.tf:1-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		1  | resource "aws_route_table" "private" {
    		2  |   vpc_id = aws_vpc.main.id
    		3  | 
    		4  |   route = [
    		5  |     {
    		6  |       cidr_block                 = "0.0.0.0/0"
    		7  |       nat_gateway_id             = aws_nat_gateway.nat.id
    		8  |       carrier_gateway_id         = ""
    		9  |       destination_prefix_list_id = ""
    		10 |       egress_only_gateway_id     = ""
    		11 |       gateway_id                 = ""
    		12 |       instance_id                = ""
    		13 |       ipv6_cidr_block            = ""
    		14 |       local_gateway_id           = ""
    		15 |       network_interface_id       = ""
    		16 |       transit_gateway_id         = ""
    		17 |       vpc_endpoint_id            = ""
    		18 |       vpc_peering_connection_id  = ""
    		19 |     },
    		20 |   ]
    		21 | 
    		22 |   tags = {
    		23 |     Name = "private"
    		24 |   }
    		25 | }
    
    Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
    	FAILED for resource: aws_route_table.public
    	File: /lessons/105/aws-terraform/5-routes.tf:27-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
    
    		27 | resource "aws_route_table" "public" {
    		28 |   vpc_id = aws_vpc.main.id
    		29 | 
    		30 |   route = [
    		31 |     {
    		32 |       cidr_block                 = "0.0.0.0/0"
    		33 |       gateway_id                 = aws_internet_gateway.igw.id
    		34 |       nat_gateway_id             = ""
    		35 |       carrier_gateway_id         = ""
    		36 |       destination_prefix_list_id = ""
    		37 |       egress_only_gateway_id     = ""
    		38 |       instance_id                = ""
    		39 |       ipv6_cidr_block            = ""
    		40 |       local_gateway_id           = ""
    		41 |       network_interface_id       = ""
    		42 |       transit_gateway_id         = ""
    		43 |       vpc_endpoint_id            = ""
    		44 |       vpc_peering_connection_id  = ""
    		45 |     },
    		46 |   ]
    		47 | 
    		48 |   tags = {
    		49 |     Name = "public"
    		50 |   }
    		51 | }
    
    Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
    	FAILED for resource: aws_eip.nat1
    	File: /lessons/038/terraform/eips.tf:5-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
    
    		5 | resource "aws_eip" "nat1" {
    		6 |   # EIP may require IGW to exist prior to association. 
    		7 |   # Use depends_on to set an explicit dependency on the IGW.
    		8 |   depends_on = [aws_internet_gateway.main]
    		9 | }
    
    Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
    	FAILED for resource: aws_eip.nat2
    	File: /lessons/038/terraform/eips.tf:11-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
    
    		11 | resource "aws_eip" "nat2" {
    		12 |   # EIP may require IGW to exist prior to association. 
    		13 |   # Use depends_on to set an explicit dependency on the IGW.
    		14 |   depends_on = [aws_internet_gateway.main]
    		15 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/020/main.tf:8-14
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		8  | resource "aws_vpc" "main" {
    		9  |   cidr_block = "10.0.0.0/18"
    		10 | 
    		11 |   tags = {
    		12 |     Name = "main"
    		13 |   }
    		14 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/038/terraform/vpc.tf:4-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		4  | resource "aws_vpc" "main" {
    		5  |   # The CIDR block for the VPC.
    		6  |   cidr_block = "192.168.0.0/16"
    		7  | 
    		8  |   # Makes your instances shared on the host.
    		9  |   instance_tenancy = "default"
    		10 | 
    		11 |   # Required for EKS. Enable/disable DNS support in the VPC.
    		12 |   enable_dns_support = true
    		13 | 
    		14 |   # Required for EKS. Enable/disable DNS hostnames in the VPC.
    		15 |   enable_dns_hostnames = true
    		16 | 
    		17 |   # Enable/disable ClassicLink for the VPC.
    		18 |   enable_classiclink = false
    		19 | 
    		20 |   # Enable/disable ClassicLink DNS Support for the VPC.
    		21 |   enable_classiclink_dns_support = false
    		22 | 
    		23 |   # Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
    		24 |   assign_generated_ipv6_cidr_block = false
    		25 | 
    		26 |   # A map of tags to assign to the resource.
    		27 |   tags = {
    		28 |     Name = "main"
    		29 |   }
    		30 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/089/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/090/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/091/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/099/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/102/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/104/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/105/aws-terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/112/terraform/1-vpc.tf:1-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   enable_dns_hostnames = true
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/113/terraform/1-vpc.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   # Must be enabled for EFS
    		5  |   enable_dns_support   = true
    		6  |   enable_dns_hostnames = true
    		7  | 
    		8  |   tags = {
    		9  |     Name = "main"
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/114/terraform/1-vpc.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   # Must be enabled for EFS
    		5  |   enable_dns_support   = true
    		6  |   enable_dns_hostnames = true
    		7  | 
    		8  |   tags = {
    		9  |     Name = "main"
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/116/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/118/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/119/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/121/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/122/terraform/1-vpc.tf:2-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		2  | resource "aws_vpc" "main" {
    		3  |   cidr_block = "10.0.0.0/16"
    		4  | 
    		5  |   enable_dns_support   = true
    		6  |   enable_dns_hostnames = true
    		7  | 
    		8  |   tags = {
    		9  |     Name = "main"
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/127/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/130/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/131/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/133/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/134/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/135/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/136/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/138/terraform/01-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/139/0-terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/140/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/142/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/143/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/144/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/145/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/146/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/147/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/149/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/150/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/151/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/152/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/153/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/154/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/155/eks-terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/156/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.this
    	File: /lessons/160/git-infrastructure-modules/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "this" {
    		2  |   cidr_block = var.vpc_cidr_block
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "${var.env}-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/160/infrastructure-live-v1/dev/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "dev-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/160/infrastructure-live-v1/staging/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "staging-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: module.vpc.aws_vpc.this
    	File: /lessons/160/infrastructure-modules/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "this" {
    		2  |   cidr_block = var.vpc_cidr_block
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "${var.env}-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/0-intro/declarative.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "staging-main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/1-loop/1-count/vpc.tf:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/1-loop/2-for_each/vpc.tf:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/2-conditionals/2-if-else/vpc.tf:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: module.vpcs.aws_vpc.main
    	File: /lessons/161/modules/vpc/main.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: module.vpcs.aws_vpc.database[0]
    	File: /lessons/161/modules/vpc/main.tf:9-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		9  | resource "aws_vpc" "database" {
    		10 |   count = var.enable_database_vpc ? 1 : 0
    		11 | 
    		12 |   cidr_block = "10.1.0.0/16"
    		13 | 
    		14 |   tags = {
    		15 |     Name = "database"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/175/terraform/2-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "${local.env}-main"
    		9  |   }
    		10 | }
    
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.app
    	File: /lessons/063/main.tf:77-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		77  | resource "aws_lb_listener" "app" {
    		78  |   load_balancer_arn = aws_lb.app.arn
    		79  |   port              = "80"
    		80  |   protocol          = "HTTP"
    		81  | 
    		82  |   default_action {
    		83  |     type = "forward"
    		84  |     # target_group_arn = aws_lb_target_group.blue.arn
    		85  |     forward {
    		86  |       target_group {
    		87  |         arn    = aws_lb_target_group.blue.arn
    		88  |         weight = lookup(local.traffic_dist_map[var.traffic_distribution], "blue", 100)
    		89  |       }
    		90  | 
    		91  |       target_group {
    		92  |         arn    = aws_lb_target_group.green.arn
    		93  |         weight = lookup(local.traffic_dist_map[var.traffic_distribution], "green", 0)
    		94  |       }
    		95  | 
    		96  |       stickiness {
    		97  |         enabled  = false
    		98  |         duration = 1
    		99  |       }
    		100 |     }
    		101 |   }
    		102 | }
    
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.http_eg1
    	File: /lessons/127/terraform/6-example-1.tf:145-154
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		145 | resource "aws_lb_listener" "http_eg1" {
    		146 |   load_balancer_arn = aws_lb.my_app_eg1.arn
    		147 |   port              = "80"
    		148 |   protocol          = "HTTP"
    		149 | 
    		150 |   default_action {
    		151 |     type             = "forward"
    		152 |     target_group_arn = aws_lb_target_group.my_app_eg1.arn
    		153 |   }
    		154 | }
    
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.my_app_eg2_tls
    	File: /lessons/127/terraform/7-example-2.tf:218-231
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		218 | resource "aws_lb_listener" "my_app_eg2_tls" {
    		219 |   load_balancer_arn = aws_lb.my_app_eg2.arn
    		220 |   port              = "443"
    		221 |   protocol          = "HTTPS"
    		222 |   certificate_arn   = aws_acm_certificate.api.arn
    		223 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
    		224 | 
    		225 |   default_action {
    		226 |     type             = "forward"
    		227 |     target_group_arn = aws_lb_target_group.my_app_eg2.arn
    		228 |   }
    		229 | 
    		230 |   depends_on = [aws_acm_certificate_validation.api]
    		231 | }
    
    Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
    	FAILED for resource: aws_lb_listener.http
    	File: /lessons/164/main.tf:87-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
    
    		87  | resource "aws_lb_listener" "http" {
    		88  |   load_balancer_arn = aws_lb.example.arn
    		89  |   port              = 80
    		90  |   protocol          = "HTTP"
    		91  | 
    		92  |   # By default, it just shows a simple 404 page
    		93  |   default_action {
    		94  |     type = "fixed-response"
    		95  | 
    		96  |     fixed_response {
    		97  |       content_type = "text/plain"
    		98  |       message_body = "404: page not found"
    		99  |       status_code  = 404
    		100 |     }
    		101 |   }
    		102 | }
    
    Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
    	FAILED for resource: aws_lb.app
    	File: /lessons/063/main.tf:64-73
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
    
    		64 | resource "aws_lb" "app" {
    		65 |   name               = "app-lb"
    		66 |   internal           = false
    		67 |   load_balancer_type = "application"
    		68 |   subnets = [
    		69 |     local.public_a_subnet_id,
    		70 |     local.public_b_subnet_id
    		71 |   ]
    		72 |   security_groups = [aws_security_group.web.id]
    		73 | }
    
    Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
    	FAILED for resource: aws_lb.my_app_eg1
    	File: /lessons/127/terraform/6-example-1.tf:127-143
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
    
    		127 | resource "aws_lb" "my_app_eg1" {
    		128 |   name               = "my-app-eg1"
    		129 |   internal           = false
    		130 |   load_balancer_type = "application"
    		131 |   security_groups    = [aws_security_group.alb_eg1.id]
    		132 | 
    		133 |   # access_logs {
    		134 |   #   bucket  = "my-logs"
    		135 |   #   prefix  = "my-app-lb"
    		136 |   #   enabled = true
    		137 |   # }
    		138 | 
    		139 |   subnets = [
    		140 |     aws_subnet.public_us_east_1a.id,
    		141 |     aws_subnet.public_us_east_1b.id
    		142 |   ]
    		143 | }
    
    Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
    	FAILED for resource: aws_lb.my_app_eg2
    	File: /lessons/127/terraform/7-example-2.tf:141-151
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
    
    		141 | resource "aws_lb" "my_app_eg2" {
    		142 |   name               = "my-app-eg2"
    		143 |   internal           = false
    		144 |   load_balancer_type = "application"
    		145 |   security_groups    = [aws_security_group.alb_eg2.id]
    		146 | 
    		147 |   subnets = [
    		148 |     aws_subnet.public_us_east_1a.id,
    		149 |     aws_subnet.public_us_east_1b.id
    		150 |   ]
    		151 | }
    
    Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
    	FAILED for resource: aws_lb.example
    	File: /lessons/164/main.tf:80-85
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
    
    		80 | resource "aws_lb" "example" {
    		81 |   name               = "web"
    		82 |   load_balancer_type = "application"
    		83 |   subnets            = data.aws_subnets.default.ids
    		84 |   security_groups    = [aws_security_group.alb.id]
    		85 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.test
    	File: /lessons/115/terraform/5-test-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		6 | resource "aws_s3_bucket" "test" {
    		7 |   bucket        = random_pet.test_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/124/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/126/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/128/terraform/2-images-bucket.tf:7-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		7  | resource "aws_s3_bucket" "images_bucket" {
    		8  |   bucket        = "images-${random_id.server.hex}"
    		9  |   force_destroy = true
    		10 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.functions
    	File: /lessons/129/terraform/1-aws-buckets.tf:2-5
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		2 | resource "aws_s3_bucket" "functions" {
    		3 |   bucket        = "functions-${random_id.lesson.hex}"
    		4 |   force_destroy = true
    		5 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.images
    	File: /lessons/129/terraform/1-aws-buckets.tf:18-21
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		18 | resource "aws_s3_bucket" "images" {
    		19 |   bucket        = "images-${random_id.lesson.hex}"
    		20 |   force_destroy = true
    		21 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: aws_security_group.vpc_link
    	File: /lessons/116/terraform/9-integration.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		1  | resource "aws_security_group" "vpc_link" {
    		2  |   name   = "vpc-link"
    		3  |   vpc_id = aws_vpc.main.id
    		4  | 
    		5  |   egress {
    		6  |     from_port        = 0
    		7  |     to_port          = 0
    		8  |     protocol         = "-1"
    		9  |     cidr_blocks      = ["0.0.0.0/0"]
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: aws_security_group.web
    	File: /lessons/161/1-loop/1-count/sg.tf:1-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		1  | resource "aws_security_group" "web" {
    		2  |   name   = "allow-web-access"
    		3  |   vpc_id = aws_vpc.main.id
    		4  | 
    		5  |   ingress {
    		6  |     from_port   = 80
    		7  |     to_port     = 80
    		8  |     protocol    = "tcp"
    		9  |     cidr_blocks = ["0.0.0.0/0"]
    		10 |   }
    		11 | 
    		12 |   ingress {
    		13 |     from_port   = 443
    		14 |     to_port     = 443
    		15 |     protocol    = "tcp"
    		16 |     cidr_blocks = ["0.0.0.0/0"]
    		17 |   }
    		18 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: aws_security_group.vpc_link
    	File: /lessons/167/terraform/12-integration.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		1  | resource "aws_security_group" "vpc_link" {
    		2  |   name   = "vpc-link"
    		3  |   vpc_id = module.vpc.vpc_id
    		4  | 
    		5  |   egress {
    		6  |     from_port   = 0
    		7  |     to_port     = 0
    		8  |     protocol    = "-1"
    		9  |     cidr_blocks = ["0.0.0.0/0"]
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.devops
    	File: /lessons/020/main.tf:163-166
    
    		163 | resource "aws_route53_zone" "devops" {
    		164 |   name    = "devopsbyexample.io"
    		165 |   comment = ""
    		166 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra
    	File: /lessons/144/terraform/14.dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "antonputra" {
    		7  |   name = "antonputra.pvt"
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/145/terraform/13-private-dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "private" {
    		7  |   name = local.private_route53_zone
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra_pvt
    	File: /lessons/146/terraform/14.dns.tf:2-8
    
    		2 | resource "aws_route53_zone" "antonputra_pvt" {
    		3 |   name = "antonputra.pvt"
    		4 | 
    		5 |   vpc {
    		6 |     vpc_id = aws_vpc.main.id
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/147/terraform/13-private-dns.tf:8-14
    
    		8  | resource "aws_route53_zone" "private" {
    		9  |   name = local.private_route53_zone
    		10 | 
    		11 |   vpc {
    		12 |     vpc_id = aws_vpc.main.id
    		13 |   }
    		14 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/149/terraform/13-private-dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "private" {
    		7  |   name = local.private_route53_zone
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/150/terraform/13-private-dns.tf:7-13
    
    		7  | resource "aws_route53_zone" "private" {
    		8  |   name = local.private_route53_zone
    		9  | 
    		10 |   vpc {
    		11 |     vpc_id = aws_vpc.main.id
    		12 |   }
    		13 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra
    	File: /lessons/151/terraform/13.dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "antonputra" {
    		7  |   name = "antonputra.pvt"
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra
    	File: /lessons/153/terraform/13.dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "antonputra" {
    		7  |   name = "antonputra.pvt"
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
    	FAILED for resource: aws_lb.app
    	File: /lessons/063/main.tf:64-73
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
    
    		64 | resource "aws_lb" "app" {
    		65 |   name               = "app-lb"
    		66 |   internal           = false
    		67 |   load_balancer_type = "application"
    		68 |   subnets = [
    		69 |     local.public_a_subnet_id,
    		70 |     local.public_b_subnet_id
    		71 |   ]
    		72 |   security_groups = [aws_security_group.web.id]
    		73 | }
    
    Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
    	FAILED for resource: aws_lb.my_app_eg1
    	File: /lessons/127/terraform/6-example-1.tf:127-143
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
    
    		127 | resource "aws_lb" "my_app_eg1" {
    		128 |   name               = "my-app-eg1"
    		129 |   internal           = false
    		130 |   load_balancer_type = "application"
    		131 |   security_groups    = [aws_security_group.alb_eg1.id]
    		132 | 
    		133 |   # access_logs {
    		134 |   #   bucket  = "my-logs"
    		135 |   #   prefix  = "my-app-lb"
    		136 |   #   enabled = true
    		137 |   # }
    		138 | 
    		139 |   subnets = [
    		140 |     aws_subnet.public_us_east_1a.id,
    		141 |     aws_subnet.public_us_east_1b.id
    		142 |   ]
    		143 | }
    
    Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
    	FAILED for resource: aws_lb.example
    	File: /lessons/164/main.tf:80-85
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
    
    		80 | resource "aws_lb" "example" {
    		81 |   name               = "web"
    		82 |   load_balancer_type = "application"
    		83 |   subnets            = data.aws_subnets.default.ids
    		84 |   security_groups    = [aws_security_group.alb.id]
    		85 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.test
    	File: /lessons/115/terraform/5-test-bucket.tf:6-9
    
    		6 | resource "aws_s3_bucket" "test" {
    		7 |   bucket        = random_pet.test_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/124/terraform/2-images-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/126/terraform/2-images-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/128/terraform/2-images-bucket.tf:7-10
    
    		7  | resource "aws_s3_bucket" "images_bucket" {
    		8  |   bucket        = "images-${random_id.server.hex}"
    		9  |   force_destroy = true
    		10 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.functions
    	File: /lessons/129/terraform/1-aws-buckets.tf:2-5
    
    		2 | resource "aws_s3_bucket" "functions" {
    		3 |   bucket        = "functions-${random_id.lesson.hex}"
    		4 |   force_destroy = true
    		5 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.images
    	File: /lessons/129/terraform/1-aws-buckets.tf:18-21
    
    		18 | resource "aws_s3_bucket" "images" {
    		19 |   bucket        = "images-${random_id.lesson.hex}"
    		20 |   force_destroy = true
    		21 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/1-example/main.tf:5-11
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/global/s3/main.tf:5-11
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/1-part/3-rds.tf:1-14
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
    
    		1  | resource "aws_db_instance" "mydb" {
    		2  |   db_name           = "mydb"
    		3  |   engine            = "postgres"
    		4  |   engine_version    = "15"
    		5  |   instance_class    = "db.t4g.micro"
    		6  |   allocated_storage = 10
    		7  | 
    		8  |   publicly_accessible  = true
    		9  |   skip_final_snapshot  = true
    		10 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		11 | 
    		12 |   username = "root"
    		13 |   password = "devops123"
    		14 | }
    
    Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/2-part/3-rds.tf:1-14
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
    
    		1  | resource "aws_db_instance" "mydb" {
    		2  |   db_name           = "mydb"
    		3  |   engine            = "postgres"
    		4  |   engine_version    = "15"
    		5  |   instance_class    = "db.t4g.micro"
    		6  |   allocated_storage = 10
    		7  | 
    		8  |   publicly_accessible  = true
    		9  |   skip_final_snapshot  = true
    		10 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		11 | 
    		12 |   username = var.username
    		13 |   password = var.password
    		14 | }
    
    Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/3-part/3-rds.tf:12-25
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
    
    		12 | resource "aws_db_instance" "mydb" {
    		13 |   db_name           = "mydb"
    		14 |   engine            = "postgres"
    		15 |   engine_version    = "15"
    		16 |   instance_class    = "db.t4g.micro"
    		17 |   allocated_storage = 10
    		18 | 
    		19 |   publicly_accessible  = true
    		20 |   skip_final_snapshot  = true
    		21 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		22 | 
    		23 |   username = local.db_creds.username
    		24 |   password = local.db_creds.password
    		25 | }
    
    Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/162/5-part/3-rds.tf:11-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   publicly_accessible  = true
    		19 |   skip_final_snapshot  = true
    		20 |   db_subnet_group_name = aws_db_subnet_group.public.name
    		21 | 
    		22 |   username = local.db_creds.username
    		23 |   password = local.db_creds.password
    		24 | }
    
    Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/infra/main.tf:10-22
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
    
    		10 | resource "aws_db_instance" "mydb" {
    		11 |   db_name           = "mydb"
    		12 |   engine            = "postgres"
    		13 |   engine_version    = "15"
    		14 |   instance_class    = "db.t4g.micro"
    		15 |   allocated_storage = 10
    		16 | 
    		17 |   publicly_accessible = true
    		18 |   skip_final_snapshot = true
    		19 | 
    		20 |   username = "root"
    		21 |   password = "devops123"
    		22 | }
    
    Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
    	FAILED for resource: aws_db_instance.mydb
    	File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
    
    		11 | resource "aws_db_instance" "mydb" {
    		12 |   db_name           = "mydb"
    		13 |   engine            = "postgres"
    		14 |   engine_version    = "15"
    		15 |   instance_class    = "db.t4g.micro"
    		16 |   allocated_storage = 10
    		17 | 
    		18 |   skip_final_snapshot = true
    		19 |   publicly_accessible = true
    		20 | 
    		21 |   username = var.username
    		22 |   password = var.password
    		23 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.test
    	File: /lessons/115/terraform/5-test-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		6 | resource "aws_s3_bucket" "test" {
    		7 |   bucket        = random_pet.test_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/124/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/126/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/128/terraform/2-images-bucket.tf:7-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		7  | resource "aws_s3_bucket" "images_bucket" {
    		8  |   bucket        = "images-${random_id.server.hex}"
    		9  |   force_destroy = true
    		10 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.functions
    	File: /lessons/129/terraform/1-aws-buckets.tf:2-5
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		2 | resource "aws_s3_bucket" "functions" {
    		3 |   bucket        = "functions-${random_id.lesson.hex}"
    		4 |   force_destroy = true
    		5 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.images
    	File: /lessons/129/terraform/1-aws-buckets.tf:18-21
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		18 | resource "aws_s3_bucket" "images" {
    		19 |   bucket        = "images-${random_id.lesson.hex}"
    		20 |   force_destroy = true
    		21 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/1-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/global/s3/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.test
    	File: /lessons/115/terraform/5-test-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		6 | resource "aws_s3_bucket" "test" {
    		7 |   bucket        = random_pet.test_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		6 | resource "aws_s3_bucket" "lambda_bucket" {
    		7 |   bucket        = random_pet.lambda_bucket_name.id
    		8 |   force_destroy = true
    		9 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/124/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/126/terraform/2-images-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		8  | resource "aws_s3_bucket" "images_bucket" {
    		9  |   bucket        = random_pet.images_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.images_bucket
    	File: /lessons/128/terraform/2-images-bucket.tf:7-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		7  | resource "aws_s3_bucket" "images_bucket" {
    		8  |   bucket        = "images-${random_id.server.hex}"
    		9  |   force_destroy = true
    		10 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.functions
    	File: /lessons/129/terraform/1-aws-buckets.tf:2-5
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		2 | resource "aws_s3_bucket" "functions" {
    		3 |   bucket        = "functions-${random_id.lesson.hex}"
    		4 |   force_destroy = true
    		5 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.images
    	File: /lessons/129/terraform/1-aws-buckets.tf:18-21
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		18 | resource "aws_s3_bucket" "images" {
    		19 |   bucket        = "images-${random_id.lesson.hex}"
    		20 |   force_destroy = true
    		21 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.lambda_bucket
    	File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		8  | resource "aws_s3_bucket" "lambda_bucket" {
    		9  |   bucket        = random_pet.lambda_bucket_name.id
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/1-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.terraform_state
    	File: /lessons/165/global/s3/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		5  | resource "aws_s3_bucket" "terraform_state" {
    		6  |   bucket = "antonputra-terraform-state"
    		7  | 
    		8  |   lifecycle {
    		9  |     prevent_destroy = true
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/014/main.tf:39-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		39 | resource "aws_instance" "nginx" {
    		40 |   ami                         = "ami-0dba2cb6798deb6d8"
    		41 |   subnet_id                   = "subnet-060a1ae52cf0a73d6"
    		42 |   instance_type               = "t2.micro"
    		43 |   associate_public_ip_address = true
    		44 |   security_groups             = [aws_security_group.nginx.id]
    		45 |   key_name                    = local.key_name
    		46 | 
    		47 |   provisioner "remote-exec" {
    		48 |     inline = ["echo 'Wait until SSH is ready'"]
    		49 | 
    		50 |     connection {
    		51 |       type        = "ssh"
    		52 |       user        = local.ssh_user
    		53 |       private_key = file(local.private_key_path)
    		54 |       host        = aws_instance.nginx.public_ip
    		55 |     }
    		56 |   }
    		57 |   provisioner "local-exec" {
    		58 |     command = "ansible-playbook  -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
    		59 |   }
    		60 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/020/main.tf:149-158
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		149 | resource "aws_instance" "nginx" {
    		150 |   ami                    = "ami-0dba2cb6798deb6d8"
    		151 |   instance_type          = "t2.micro"
    		152 |   vpc_security_group_ids = [aws_security_group.nginx.id]
    		153 |   key_name               = "devops"
    		154 | 
    		155 |   tags = {
    		156 |     Name = "Nginx"
    		157 |   }
    		158 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.server
    	File: /lessons/040/main.tf:4-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		4  | resource "aws_instance" "server" {
    		5  |   # The AMI to use for the instance.
    		6  |   ami = var.ami
    		7  | 
    		8  |   # The type of instance to start.
    		9  |   instance_type = "t2.micro"
    		10 | 
    		11 |   lifecycle {
    		12 |     create_before_destroy = true
    		13 |     ignore_changes        = [tags]
    		14 |   }
    		15 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.ubuntu
    	File: /lessons/053/infra-2/main.tf:20-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		20 | resource "aws_instance" "ubuntu" {
    		21 |   ami           = "ami-013f17f36f8b1fefb"
    		22 |   instance_type = "t3.micro"
    		23 |   subnet_id     = "subnet-07fc2d0816e1f6100"
    		24 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.blue[0]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.green
    	File: /lessons/063/green.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		3  | resource "aws_instance" "green" {
    		4  |   count = var.enable_green_env ? var.green_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "green version 1.1 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "green version 1.1 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.web
    	File: /lessons/104/terraform/5-ec2.tf:28-42
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		28 | resource "aws_instance" "web" {
    		29 |   ami           = data.aws_ami.ubuntu.id
    		30 |   instance_type = "t3.small"
    		31 | 
    		32 |   key_name = local.key_name
    		33 | 
    		34 |   network_interface {
    		35 |     network_interface_id = aws_network_interface.monitoring.id
    		36 |     device_index         = 0
    		37 |   }
    		38 | 
    		39 |   tags = {
    		40 |     Name = "monitoring"
    		41 |   }
    		42 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.my-app-example-2
    	File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "my-app-example-2" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.private-us-east-1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
    		8  | 
    		9  |   tags = {
    		10 |     Name = "my-app-example-2"
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.my-app-example-1
    	File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "my-app-example-1" {
    		2  |   ami           = "ami-0d5482f3cb962780f"
    		3  |   instance_type = "t3.micro"
    		4  |   key_name      = "devops"
    		5  |   subnet_id     = aws_subnet.public-us-east-1a.id
    		6  | 
    		7  |   associate_public_ip_address = true
    		8  |   vpc_security_group_ids      = [aws_security_group.my-app-example-1.id]
    		9  | 
    		10 |   tags = {
    		11 |     Name = "my-app-example-1"
    		12 |   }
    		13 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/121/terraform/6-ec2.tf:38-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		38 | resource "aws_instance" "my_server" {
    		39 |   ami           = data.aws_ami.ubuntu.id
    		40 |   instance_type = "t3.micro"
    		41 | 
    		42 |   key_name               = "old-key"
    		43 |   subnet_id              = aws_subnet.public-us-east-1a.id
    		44 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		45 | 
    		46 |   associate_public_ip_address = true
    		47 | 
    		48 |   tags = {
    		49 |     Name = "My Server"
    		50 |   }
    		51 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.my_server
    	File: /lessons/122/terraform/6-ec2.tf:41-56
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		41 | resource "aws_instance" "my_server" {
    		42 |   ami           = data.aws_ami.ubuntu.id
    		43 |   instance_type = "t3.micro"
    		44 | 
    		45 |   # create devops key pair manually before you run terraform
    		46 |   key_name = "devops"
    		47 | 
    		48 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		49 |   vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
    		50 | 
    		51 |   associate_public_ip_address = true
    		52 | 
    		53 |   tags = {
    		54 |     Name = "my-server"
    		55 |   }
    		56 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.my_app
    	File: /lessons/130/terraform/12-ec2.tf:46-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		46 | resource "aws_instance" "my_app" {
    		47 |   ami                    = data.aws_ami.ubuntu.id
    		48 |   instance_type          = "t3.micro"
    		49 |   key_name               = "devops"
    		50 |   subnet_id              = aws_subnet.public_us_east_1a.id
    		51 |   vpc_security_group_ids = [aws_security_group.my_app.id]
    		52 | 
    		53 |   user_data = <> /etc/systemd/system/node_exporter.service
    		63 | [Unit]
    		64 | Description=Node Exporter
    		65 | Wants=network-online.target
    		66 | After=network-online.target
    		67 | 
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "My App"
    		89 |     node-exporter = "true"
    		90 |   }
    		91 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/146/terraform/10-nginx-ec2.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "nginx" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   key_name      = "devops"
    		4  |   instance_type = "t3a.small"
    		5  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.ssh.id,
    		9  |     aws_security_group.proxy.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "nginx.antonputra.pvt"
    		14 |     service       = "nginx"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.apache
    	File: /lessons/146/terraform/11-apache-ec2.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "apache" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   key_name      = "devops"
    		4  |   instance_type = "t3a.small"
    		5  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.ssh.id,
    		9  |     aws_security_group.proxy.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "apache.antonputra.pvt"
    		14 |     service       = "apache"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.client
    	File: /lessons/146/terraform/13-client.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "client" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   key_name      = "devops"
    		4  |   instance_type = "t3a.xlarge"
    		5  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.ssh.id,
    		9  |     aws_security_group.client.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "client.antonputra.pvt"
    		14 |     service       = "client"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.myapp
    	File: /lessons/146/terraform/9-myapp-ec2.tf:1-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "myapp" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   key_name      = "devops"
    		4  |   instance_type = "t3a.large"
    		5  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.ssh.id,
    		9  |     aws_security_group.myapp.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "myapp-000.antonputra.pvt"
    		14 |     service       = "myapp"
    		15 |     node-exporter = "true"
    		16 |     rust-exporter = "true"
    		17 |   }
    		18 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.client
    	File: /lessons/147/terraform/15-client.tf:38-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		38 | resource "aws_instance" "client" {
    		39 |   ami           = data.aws_ami.ubuntu_jammy.id
    		40 |   key_name      = "devops"
    		41 |   instance_type = "t3a.xlarge"
    		42 |   subnet_id     = aws_subnet.public_us_east_1a.id
    		43 | 
    		44 |   vpc_security_group_ids = [
    		45 |     aws_security_group.client.id
    		46 |   ]
    		47 | 
    		48 |   tags = {
    		49 |     Name          = "client.antonputra.pvt"
    		50 |     service       = "client"
    		51 |     node-exporter = "true"
    		52 |   }
    		53 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.client
    	File: /lessons/149/terraform/15-client.tf:38-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		38 | resource "aws_instance" "client" {
    		39 |   ami           = data.aws_ami.ubuntu_jammy.id
    		40 |   key_name      = "devops"
    		41 |   instance_type = "t3a.xlarge"
    		42 |   subnet_id     = aws_subnet.public_us_east_1a.id
    		43 | 
    		44 |   vpc_security_group_ids = [
    		45 |     aws_security_group.client.id
    		46 |   ]
    		47 | 
    		48 |   tags = {
    		49 |     Name          = "client.antonputra.pvt"
    		50 |     service       = "client"
    		51 |     node-exporter = "true"
    		52 |   }
    		53 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.client
    	File: /lessons/150/terraform/15-client.tf:38-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		38 | resource "aws_instance" "client" {
    		39 |   ami           = data.aws_ami.ubuntu_jammy.id
    		40 |   key_name      = "devops"
    		41 |   instance_type = "t3a.xlarge"
    		42 |   subnet_id     = aws_subnet.public_us_east_1a.id
    		43 | 
    		44 |   vpc_security_group_ids = [
    		45 |     aws_security_group.client.id
    		46 |   ]
    		47 | 
    		48 |   tags = {
    		49 |     Name          = "client.antonputra.pvt"
    		50 |     service       = "client"
    		51 |     node-exporter = "true"
    		52 |   }
    		53 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.envoy
    	File: /lessons/151/terraform/10-envoy.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "envoy" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   instance_type = "m6a.large"
    		4  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		5  |   key_name      = "devops" # TODO: update to yours
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.proxy.id,
    		9  |     aws_security_group.ssh.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "envoy"
    		14 |     service       = "envoy"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/151/terraform/11-nginx.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "nginx" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   instance_type = "m6a.large"
    		4  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		5  |   key_name      = "devops" # TODO: update to yours
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.proxy.id,
    		9  |     aws_security_group.ssh.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "nginx"
    		14 |     service       = "nginx"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.myapp
    	File: /lessons/151/terraform/8-myapp.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "myapp" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   instance_type = "m6a.xlarge"
    		4  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		5  |   key_name      = "devops" # TODO: update to yours
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.myapp.id,
    		9  |     aws_security_group.ssh.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "myapp"
    		14 |     service       = "myapp"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.caddy
    	File: /lessons/153/terraform/10-caddy.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "caddy" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   instance_type = "m6a.large"
    		4  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		5  |   key_name      = "devops" # TODO: update to yours
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.proxy.id,
    		9  |     aws_security_group.ssh.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "caddy"
    		14 |     service       = "caddy"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.traefik
    	File: /lessons/153/terraform/11-traefik.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "traefik" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   instance_type = "m6a.large"
    		4  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		5  |   key_name      = "devops" # TODO: update to yours
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.proxy.id,
    		9  |     aws_security_group.ssh.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "traefik"
    		14 |     service       = "traefik"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.myapp
    	File: /lessons/153/terraform/8-myapp.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1  | resource "aws_instance" "myapp" {
    		2  |   ami           = data.aws_ami.ubuntu_jammy.id
    		3  |   instance_type = "m6a.xlarge"
    		4  |   subnet_id     = aws_subnet.public_us_east_1a.id
    		5  |   key_name      = "devops" # TODO: update to yours
    		6  | 
    		7  |   vpc_security_group_ids = [
    		8  |     aws_security_group.myapp.id,
    		9  |     aws_security_group.ssh.id
    		10 |   ]
    		11 | 
    		12 |   tags = {
    		13 |     Name          = "myapp"
    		14 |     service       = "myapp"
    		15 |     node-exporter = "true"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.test
    	File: /lessons/154/terraform/14-ec2.tf:44-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		44 | resource "aws_instance" "test" {
    		45 |   ami           = data.aws_ami.ubuntu_jammy.id
    		46 |   instance_type = "t3a.small"
    		47 |   subnet_id     = aws_subnet.public_us_east_1a.id
    		48 |   #   key_name      = "devops" # TODO: update to yours
    		49 | 
    		50 |   vpc_security_group_ids = [
    		51 |     aws_security_group.test.id
    		52 |   ]
    		53 | 
    		54 |   user_data = <> /etc/systemd/system/node_exporter.service
    		64 | [Unit]
    		65 | Description=Node Exporter
    		66 | Wants=network-online.target
    		67 | After=network-online.target
    		68 | StartLimitIntervalSec=500
    		69 | StartLimitBurst=5
    		70 | 
    		71 | [Service]
    		72 | User=node_exporter
    		73 | Group=node_exporter
    		74 | Type=simple
    		75 | Restart=on-failure
    		76 | RestartSec=5s
    		77 | ExecStart=/usr/local/bin/node_exporter
    		78 | 
    		79 | [Install]
    		80 | WantedBy=multi-user.target
    		81 | EOT
    		82 | 
    		83 | systemctl enable node_exporter
    		84 | systemctl start node_exporter
    		85 | EOF
    		86 | 
    		87 |   tags = {
    		88 |     Name          = "myapp"
    		89 |     service       = "myapp"
    		90 |     node-exporter = "true"
    		91 |   }
    		92 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/161/0-intro/copy-paste.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		1 | resource "aws_instance" "nginx" {
    		2 |   ami           = "ami-0f35953afaa5c8c60"
    		3 |   instance_type = "t3.micro"
    		4 | 
    		5 |   tags = {
    		6 |     Name = "staging-nginx"
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.nginx_2
    	File: /lessons/161/0-intro/copy-paste.tf:10-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		10 | resource "aws_instance" "nginx_2" {
    		11 |   ami           = "ami-0f35953afaa5c8c60"
    		12 |   instance_type = "t3.micro"
    		13 | 
    		14 |   tags = {
    		15 |     Name = "staging-nginx"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.nginx
    	File: /lessons/161/0-intro/declarative.tf:9-16
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		9  | resource "aws_instance" "nginx" {
    		10 |   ami           = "ami-0f35953afaa5c8c60"
    		11 |   instance_type = "t3.micro"
    		12 | 
    		13 |   tags = {
    		14 |     Name = "staging-nginx"
    		15 |   }
    		16 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.web["nginx-0"]
    	File: /lessons/161/1-loop/2-for_each/ec2.tf:14-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		14 | resource "aws_instance" "web" {
    		15 |   for_each = local.web_servers
    		16 | 
    		17 |   ami               = "ami-1234567890"
    		18 |   instance_type     = each.value.instance_type
    		19 |   availability_zone = each.value.availability_zone
    		20 | 
    		21 |   tags = {
    		22 |     Name = each.key
    		23 |   }
    		24 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.example
    	File: /lessons/164/main.tf:16-33
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		16 | resource "aws_instance" "example" {
    		17 |   ami           = "ami-0a695f0d95cefc163"
    		18 |   instance_type = "t3.micro"
    		19 | 
    		20 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		21 | 
    		22 |   user_data = <<-EOF
    		23 |               #!/bin/bash
    		24 |               echo "Hello, World" > index.html
    		25 |               nohup busybox httpd -f -p ${var.server_port} &
    		26 |               EOF
    		27 | 
    		28 |   user_data_replace_on_change = true
    		29 | 
    		30 |   tags = {
    		31 |     Name = "my-ubuntu"
    		32 |   }
    		33 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/3-example/main.tf:5-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		5  | resource "aws_instance" "example" {
    		6  |   ami = "ami-0a695f0d95cefc163"
    		7  | 
    		8  |   instance_type = (
    		9  |     terraform.workspace == "default" ? "t3.medium" : "t3.micro"
    		10 |   )
    		11 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/infra/main.tf:5-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		5 | resource "aws_instance" "example" {
    		6 |   ami           = "ami-0a695f0d95cefc163"
    		7 |   instance_type = "t3.micro"
    		8 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.example
    	File: /lessons/165/staging/services/web/main.tf:22-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		22 | resource "aws_instance" "example" {
    		23 |   ami           = "ami-0a695f0d95cefc163"
    		24 |   instance_type = "t3.micro"
    		25 | 
    		26 |   vpc_security_group_ids = [aws_security_group.instance.id]
    		27 | 
    		28 |   user_data = templatefile("user-data.sh", {
    		29 |     server_port      = var.server_port
    		30 |     postgres_address = data.terraform_remote_state.postgres.outputs.address
    		31 |     postgres_port    = data.terraform_remote_state.postgres.outputs.port
    		32 |   })
    		33 | 
    		34 |   user_data_replace_on_change = true
    		35 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.blue[1]
    	File: /lessons/063/blue.tf:3-18
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		3  | resource "aws_instance" "blue" {
    		4  |   count = var.enable_blue_env ? var.blue_instance_count : 0
    		5  | 
    		6  |   ami                    = local.ubuntu_ami
    		7  |   instance_type          = "t2.micro"
    		8  |   subnet_id              = local.private_a_subnet_id
    		9  |   vpc_security_group_ids = [aws_security_group.web.id]
    		10 | 
    		11 |   user_data = templatefile("./init-script.sh", {
    		12 |     file_content = "blue version 1.2 - ${count.index}"
    		13 |   })
    		14 | 
    		15 |   tags = {
    		16 |     Name = "blue version 1.2 - ${count.index}"
    		17 |   }
    		18 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
    	File: /lessons/127/terraform/6-example-1.tf:78-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		78 | resource "aws_instance" "my_app_eg1" {
    		79 |   for_each = local.web_servers
    		80 | 
    		81 |   ami           = "ami-07309549f34230bcd"
    		82 |   instance_type = each.value.machine_type
    		83 |   key_name      = "devops"
    		84 |   subnet_id     = each.value.subnet_id
    		85 | 
    		86 |   vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
    		87 | 
    		88 |   tags = {
    		89 |     Name = each.key
    		90 |   }
    		91 | }
    
    Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
    	FAILED for resource: aws_instance.web["nginx-1"]
    	File: /lessons/161/1-loop/2-for_each/ec2.tf:14-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
    
    		14 | resource "aws_instance" "web" {
    		15 |   for_each = local.web_servers
    		16 | 
    		17 |   ami               = "ami-1234567890"
    		18 |   instance_type     = each.value.instance_type
    		19 |   availability_zone = each.value.availability_zone
    		20 | 
    		21 |   tags = {
    		22 |     Name = each.key
    		23 |   }
    		24 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/020/main.tf:8-14
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		8  | resource "aws_vpc" "main" {
    		9  |   cidr_block = "10.0.0.0/18"
    		10 | 
    		11 |   tags = {
    		12 |     Name = "main"
    		13 |   }
    		14 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/038/terraform/vpc.tf:4-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		4  | resource "aws_vpc" "main" {
    		5  |   # The CIDR block for the VPC.
    		6  |   cidr_block = "192.168.0.0/16"
    		7  | 
    		8  |   # Makes your instances shared on the host.
    		9  |   instance_tenancy = "default"
    		10 | 
    		11 |   # Required for EKS. Enable/disable DNS support in the VPC.
    		12 |   enable_dns_support = true
    		13 | 
    		14 |   # Required for EKS. Enable/disable DNS hostnames in the VPC.
    		15 |   enable_dns_hostnames = true
    		16 | 
    		17 |   # Enable/disable ClassicLink for the VPC.
    		18 |   enable_classiclink = false
    		19 | 
    		20 |   # Enable/disable ClassicLink DNS Support for the VPC.
    		21 |   enable_classiclink_dns_support = false
    		22 | 
    		23 |   # Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
    		24 |   assign_generated_ipv6_cidr_block = false
    		25 | 
    		26 |   # A map of tags to assign to the resource.
    		27 |   tags = {
    		28 |     Name = "main"
    		29 |   }
    		30 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/089/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/090/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/091/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/099/terraform/1-vpc.tf:3-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		3 | resource "aws_vpc" "main" {
    		4 |   cidr_block = "10.0.0.0/16"
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/102/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/104/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/105/aws-terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/112/terraform/1-vpc.tf:1-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   enable_dns_hostnames = true
    		5 | 
    		6 |   tags = {
    		7 |     Name = "main"
    		8 |   }
    		9 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/113/terraform/1-vpc.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   # Must be enabled for EFS
    		5  |   enable_dns_support   = true
    		6  |   enable_dns_hostnames = true
    		7  | 
    		8  |   tags = {
    		9  |     Name = "main"
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/114/terraform/1-vpc.tf:1-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   # Must be enabled for EFS
    		5  |   enable_dns_support   = true
    		6  |   enable_dns_hostnames = true
    		7  | 
    		8  |   tags = {
    		9  |     Name = "main"
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/116/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/118/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/119/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/121/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/122/terraform/1-vpc.tf:2-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		2  | resource "aws_vpc" "main" {
    		3  |   cidr_block = "10.0.0.0/16"
    		4  | 
    		5  |   enable_dns_support   = true
    		6  |   enable_dns_hostnames = true
    		7  | 
    		8  |   tags = {
    		9  |     Name = "main"
    		10 |   }
    		11 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/127/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/130/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/131/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/133/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/134/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/135/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/136/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/138/terraform/01-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/139/0-terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/140/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/142/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/143/terraform/1-vpc.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/144/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/145/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/146/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/147/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/149/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/150/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/151/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/152/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/153/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/154/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/155/eks-terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/156/terraform/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.this
    	File: /lessons/160/git-infrastructure-modules/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "this" {
    		2  |   cidr_block = var.vpc_cidr_block
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "${var.env}-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/160/infrastructure-live-v1/dev/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "dev-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/160/infrastructure-live-v1/staging/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "staging-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: module.vpc.aws_vpc.this
    	File: /lessons/160/infrastructure-modules/vpc/1-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "this" {
    		2  |   cidr_block = var.vpc_cidr_block
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "${var.env}-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/0-intro/declarative.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "staging-main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/1-loop/1-count/vpc.tf:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/1-loop/2-for_each/vpc.tf:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/161/2-conditionals/2-if-else/vpc.tf:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: module.vpcs.aws_vpc.main
    	File: /lessons/161/modules/vpc/main.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1 | resource "aws_vpc" "main" {
    		2 |   cidr_block = "10.0.0.0/16"
    		3 | 
    		4 |   tags = {
    		5 |     Name = "main"
    		6 |   }
    		7 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: module.vpcs.aws_vpc.database[0]
    	File: /lessons/161/modules/vpc/main.tf:9-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		9  | resource "aws_vpc" "database" {
    		10 |   count = var.enable_database_vpc ? 1 : 0
    		11 | 
    		12 |   cidr_block = "10.1.0.0/16"
    		13 | 
    		14 |   tags = {
    		15 |     Name = "database"
    		16 |   }
    		17 | }
    
    Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
    	FAILED for resource: aws_vpc.main
    	File: /lessons/175/terraform/2-vpc.tf:1-10
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
    
    		1  | resource "aws_vpc" "main" {
    		2  |   cidr_block = "10.0.0.0/16"
    		3  | 
    		4  |   enable_dns_support   = true
    		5  |   enable_dns_hostnames = true
    		6  | 
    		7  |   tags = {
    		8  |     Name = "${local.env}-main"
    		9  |   }
    		10 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.devops
    	File: /lessons/020/main.tf:163-166
    
    		163 | resource "aws_route53_zone" "devops" {
    		164 |   name    = "devopsbyexample.io"
    		165 |   comment = ""
    		166 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra
    	File: /lessons/144/terraform/14.dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "antonputra" {
    		7  |   name = "antonputra.pvt"
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/145/terraform/13-private-dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "private" {
    		7  |   name = local.private_route53_zone
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra_pvt
    	File: /lessons/146/terraform/14.dns.tf:2-8
    
    		2 | resource "aws_route53_zone" "antonputra_pvt" {
    		3 |   name = "antonputra.pvt"
    		4 | 
    		5 |   vpc {
    		6 |     vpc_id = aws_vpc.main.id
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/147/terraform/13-private-dns.tf:8-14
    
    		8  | resource "aws_route53_zone" "private" {
    		9  |   name = local.private_route53_zone
    		10 | 
    		11 |   vpc {
    		12 |     vpc_id = aws_vpc.main.id
    		13 |   }
    		14 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/149/terraform/13-private-dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "private" {
    		7  |   name = local.private_route53_zone
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /lessons/150/terraform/13-private-dns.tf:7-13
    
    		7  | resource "aws_route53_zone" "private" {
    		8  |   name = local.private_route53_zone
    		9  | 
    		10 |   vpc {
    		11 |     vpc_id = aws_vpc.main.id
    		12 |   }
    		13 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra
    	File: /lessons/151/terraform/13.dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "antonputra" {
    		7  |   name = "antonputra.pvt"
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.antonputra
    	File: /lessons/153/terraform/13.dns.tf:6-12
    
    		6  | resource "aws_route53_zone" "antonputra" {
    		7  |   name = "antonputra.pvt"
    		8  | 
    		9  |   vpc {
    		10 |     vpc_id = aws_vpc.main.id
    		11 |   }
    		12 | }
    
    cloudformation scan results:
    
    Passed checks: 12, Failed checks: 18, Skipped checks: 0, Parsing errors: 2
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: AWS::Serverless::Function.APIFunction
    	File: /lessons/075/sam/template.yaml:10-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		10 |   APIFunction:
    		11 |     Type: AWS::Serverless::Function
    		12 |     Properties:
    		13 |       Runtime: nodejs14.x
    		14 |       Handler: function.lambdaHandler
    		15 |       CodeUri: api/
    		16 |       Timeout: 3
    		17 |       Events:
    		18 |         Hello:
    		19 |           Type: Api
    		20 |           Properties:
    		21 |             Path: /hello
    		22 |             Method: POST
    		23 |             RestApiId: 
    		24 |               Ref: HelloAPI
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: AWS::Serverless::Function.APIFunction
    	File: /lessons/075/sam/template.yaml:10-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		10 |   APIFunction:
    		11 |     Type: AWS::Serverless::Function
    		12 |     Properties:
    		13 |       Runtime: nodejs14.x
    		14 |       Handler: function.lambdaHandler
    		15 |       CodeUri: api/
    		16 |       Timeout: 3
    		17 |       Events:
    		18 |         Hello:
    		19 |           Type: Api
    		20 |           Properties:
    		21 |             Path: /hello
    		22 |             Method: POST
    		23 |             RestApiId: 
    		24 |               Ref: HelloAPI
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: AWS::Serverless::Function.APIFunction
    	File: /lessons/075/sam/template.yaml:10-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		10 |   APIFunction:
    		11 |     Type: AWS::Serverless::Function
    		12 |     Properties:
    		13 |       Runtime: nodejs14.x
    		14 |       Handler: function.lambdaHandler
    		15 |       CodeUri: api/
    		16 |       Timeout: 3
    		17 |       Events:
    		18 |         Hello:
    		19 |           Type: Api
    		20 |           Properties:
    		21 |             Path: /hello
    		22 |             Method: POST
    		23 |             RestApiId: 
    		24 |               Ref: HelloAPI
    
    Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
    	FAILED for resource: AWS::Serverless::Api.HelloAPI
    	File: /lessons/075/sam/template.yaml:26-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-api-gateway-caching-is-enabled.html
    
    		26 |   HelloAPI:
    		27 |     Type: AWS::Serverless::Api
    		28 |     Properties:
    		29 |       StageName: staging
    		30 |       OpenApiVersion: 3.0.3
    
    Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
    	FAILED for resource: AWS::Serverless::Api.HelloAPI
    	File: /lessons/075/sam/template.yaml:26-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-15.html
    
    		26 |   HelloAPI:
    		27 |     Type: AWS::Serverless::Api
    		28 |     Properties:
    		29 |       StageName: staging
    		30 |       OpenApiVersion: 3.0.3
    
    Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
    	FAILED for resource: AWS::Serverless::Api.HelloAPI
    	File: /lessons/075/sam/template.yaml:26-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
    
    		26 |   HelloAPI:
    		27 |     Type: AWS::Serverless::Api
    		28 |     Properties:
    		29 |       StageName: staging
    		30 |       OpenApiVersion: 3.0.3
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: AWS::Serverless::Function.S3Function
    	File: /lessons/075/sam/template.yaml:32-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		32 |   S3Function:
    		33 |     Type: AWS::Serverless::Function
    		34 |     Properties:
    		35 |       Runtime: nodejs14.x
    		36 |       Handler: function.lambdaHandler
    		37 |       CodeUri: s3/
    		38 |       Timeout: 60
    		39 |       Policies: AWSLambdaExecute
    		40 |       Events:
    		41 |         PrintEvent:
    		42 |           Type: S3
    		43 |           Properties:
    		44 |             Bucket: !Ref ExampleBucket
    		45 |             Events: s3:ObjectCreated:*
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: AWS::Serverless::Function.S3Function
    	File: /lessons/075/sam/template.yaml:32-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		32 |   S3Function:
    		33 |     Type: AWS::Serverless::Function
    		34 |     Properties:
    		35 |       Runtime: nodejs14.x
    		36 |       Handler: function.lambdaHandler
    		37 |       CodeUri: s3/
    		38 |       Timeout: 60
    		39 |       Policies: AWSLambdaExecute
    		40 |       Events:
    		41 |         PrintEvent:
    		42 |           Type: S3
    		43 |           Properties:
    		44 |             Bucket: !Ref ExampleBucket
    		45 |             Events: s3:ObjectCreated:*
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: AWS::Serverless::Function.S3Function
    	File: /lessons/075/sam/template.yaml:32-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		32 |   S3Function:
    		33 |     Type: AWS::Serverless::Function
    		34 |     Properties:
    		35 |       Runtime: nodejs14.x
    		36 |       Handler: function.lambdaHandler
    		37 |       CodeUri: s3/
    		38 |       Timeout: 60
    		39 |       Policies: AWSLambdaExecute
    		40 |       Events:
    		41 |         PrintEvent:
    		42 |           Type: S3
    		43 |           Properties:
    		44 |             Bucket: !Ref ExampleBucket
    		45 |             Events: s3:ObjectCreated:*
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: AWS::S3::Bucket.ExampleBucket
    	File: /lessons/075/sam/template.yaml:47-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		47 |   ExampleBucket:
    		48 |     Type: AWS::S3::Bucket
    		49 |     Properties:
    		50 |       BucketName: test-antonputra
    
    Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
    	FAILED for resource: AWS::S3::Bucket.ExampleBucket
    	File: /lessons/075/sam/template.yaml:47-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-19.html
    
    		47 |   ExampleBucket:
    		48 |     Type: AWS::S3::Bucket
    		49 |     Properties:
    		50 |       BucketName: test-antonputra
    
    Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
    	FAILED for resource: AWS::S3::Bucket.ExampleBucket
    	File: /lessons/075/sam/template.yaml:47-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
    
    		47 |   ExampleBucket:
    		48 |     Type: AWS::S3::Bucket
    		49 |     Properties:
    		50 |       BucketName: test-antonputra
    
    Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled"
    	FAILED for resource: AWS::S3::Bucket.ExampleBucket
    	File: /lessons/075/sam/template.yaml:47-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-21.html
    
    		47 |   ExampleBucket:
    		48 |     Type: AWS::S3::Bucket
    		49 |     Properties:
    		50 |       BucketName: test-antonputra
    
    Check: CKV_AWS_21: "Ensure the S3 bucket has versioning enabled"
    	FAILED for resource: AWS::S3::Bucket.ExampleBucket
    	File: /lessons/075/sam/template.yaml:47-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		47 |   ExampleBucket:
    		48 |     Type: AWS::S3::Bucket
    		49 |     Properties:
    		50 |       BucketName: test-antonputra
    
    Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
    	FAILED for resource: AWS::S3::Bucket.ExampleBucket
    	File: /lessons/075/sam/template.yaml:47-50
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
    
    		47 |   ExampleBucket:
    		48 |     Type: AWS::S3::Bucket
    		49 |     Properties:
    		50 |       BucketName: test-antonputra
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: AWS::Serverless::Function.SNSFunction
    	File: /lessons/075/sam/template.yaml:52-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		52 |   SNSFunction:
    		53 |     Type: AWS::Serverless::Function
    		54 |     Properties:
    		55 |       PackageType: Image
    		56 |       CodeUri: sns/
    		57 |       Events:
    		58 |         HelloWorld:
    		59 |           Type: SNS
    		60 |           Properties:
    		61 |             Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
    		62 |     Metadata:
    		63 |       Dockerfile: Dockerfile
    		64 |       DockerContext: ./sns
    		65 |       DockerTag: python3.8-v1
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: AWS::Serverless::Function.SNSFunction
    	File: /lessons/075/sam/template.yaml:52-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		52 |   SNSFunction:
    		53 |     Type: AWS::Serverless::Function
    		54 |     Properties:
    		55 |       PackageType: Image
    		56 |       CodeUri: sns/
    		57 |       Events:
    		58 |         HelloWorld:
    		59 |           Type: SNS
    		60 |           Properties:
    		61 |             Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
    		62 |     Metadata:
    		63 |       Dockerfile: Dockerfile
    		64 |       DockerContext: ./sns
    		65 |       DockerTag: python3.8-v1
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: AWS::Serverless::Function.SNSFunction
    	File: /lessons/075/sam/template.yaml:52-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		52 |   SNSFunction:
    		53 |     Type: AWS::Serverless::Function
    		54 |     Properties:
    		55 |       PackageType: Image
    		56 |       CodeUri: sns/
    		57 |       Events:
    		58 |         HelloWorld:
    		59 |           Type: SNS
    		60 |           Properties:
    		61 |             Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
    		62 |     Metadata:
    		63 |       Dockerfile: Dockerfile
    		64 |       DockerContext: ./sns
    		65 |       DockerTag: python3.8-v1
    
    kubernetes scan results:
    
    Passed checks: 26184, Failed checks: 4597, Skipped checks: 0
    
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_10: "CPU requests should be set"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_29: "Apply security context to your pods and containers"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_16: "Container should not be privileged"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-15.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_9: "Readiness Probe Should be Configured"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_43: "Image should use digest"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_23: "Minimize the admission of root containers"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_8: "Liveness Probe Should be Configured"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_13: "Memory limits should be set"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_12: "Memory requests should be set"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_15: "Image Pull Policy should be Always"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
    	FAILED for resource: DaemonSet.default.local-volume-provisioner
    	File: /lessons/099/provisioner/daemonset.yaml:2-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: DaemonSet
    		4  | metadata:
    		5  |   name: local-volume-provisioner
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: local-volume-provisioner 
    		11 |   template:
    		12 |     metadata:
    		13 |       labels:
    		14 |         app: local-volume-provisioner
    		15 |     spec:
    		16 |       serviceAccountName: local-storage-admin
    		17 |       containers:
    		18 |       - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
    		19 |         name: provisioner 
    		20 |         securityContext:
    		21 |           privileged: true
    		22 |         env:
    		23 |         - name: MY_NODE_NAME
    		24 |           valueFrom:
    		25 |             fieldRef:
    		26 |               fieldPath: spec.nodeName
    		27 |         volumeMounts:
    		28 |         - mountPath: /etc/provisioner/config
    		29 |           name: provisioner-config
    		30 |           readOnly: true
    		31 |         - mountPath:  /mnt/ssd-disks
    		32 |           name: ssd-disks
    		33 |           mountPropagation: HostToContainer
    		34 |       volumes:
    		35 |       - name: provisioner-config
    		36 |         configMap:
    		37 |           name: local-provisioner-config         
    		38 |       - name: ssd-disks
    		39 |         hostPath:
    		40 |           path: /mnt/ssd-disks 
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: ServiceAccount.default.local-storage-admin
    	File: /lessons/099/provisioner/rbac.yaml:2-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2 | apiVersion: v1
    		3 | kind: ServiceAccount
    		4 | metadata:
    		5 |   name: local-storage-admin
    		6 |   namespace: default
    		7 | ---
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: ConfigMap.default.local-provisioner-config
    	File: /lessons/099/provisioner/configmap.yaml:2-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2  | apiVersion: v1
    		3  | kind: ConfigMap
    		4  | metadata:
    		5  |   name: local-provisioner-config 
    		6  |   namespace: default 
    		7  | data:
    		8  |   storageClassMap: |     
    		9  |     ssd-disks:
    		10 |        hostDir: /mnt/ssd-disks
    		11 |        mountDir: /mnt/ssd-disks 
    		12 |        blockCleanerCommand:
    		13 |          - "/scripts/shred.sh"
    		14 |          - "2"
    		15 |        volumeMode: Filesystem
    		16 |        fsType: xfs
    		17 |        namePattern: "*"
    
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_10: "CPU requests should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_29: "Apply security context to your pods and containers"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_9: "Readiness Probe Should be Configured"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_43: "Image should use digest"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_23: "Minimize the admission of root containers"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_8: "Liveness Probe Should be Configured"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_13: "Memory limits should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_12: "Memory requests should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_15: "Image Pull Policy should be Always"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/1-example.yaml:2-47
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: database-postgresql
    		6  | spec:
    		7  |   serviceName: postgresql
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app.kubernetes.io/name: postgresql
    		11 |   template:
    		12 |     metadata:
    		13 |       name: database-postgresql
    		14 |       labels:
    		15 |         app.kubernetes.io/name: postgresql
    		16 |     spec:                
    		17 |       containers:
    		18 |       - name: database-postgresql
    		19 |         image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
    		20 |         securityContext:
    		21 |           runAsUser: 0
    		22 |         env:
    		23 |         - name: POSTGRESQL_VOLUME_DIR
    		24 |           value: /bitnami/postgresql
    		25 |         - name: PGDATA
    		26 |           value: /bitnami/postgresql/data
    		27 |         - name: POSTGRES_USER
    		28 |           value: postgres
    		29 |         - name: POSTGRES_PASSWORD
    		30 |           value: secret123
    		31 |         ports:
    		32 |         - name: tcp-postgresql
    		33 |           containerPort: 5432
    		34 |         volumeMounts:
    		35 |         - name: dshm
    		36 |           mountPath: /dev/shm
    		37 |         - name: local-disk
    		38 |           mountPath: /bitnami/postgresql
    		39 |           subPath: 
    		40 |       volumes:
    		41 |       - name: dshm
    		42 |         emptyDir:
    		43 |           medium: Memory
    		44 |       - name: local-disk
    		45 |         hostPath:
    		46 |           path: /opt/postgresql-data
    		47 |           type: DirectoryOrCreate
    
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_10: "CPU requests should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_29: "Apply security context to your pods and containers"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_9: "Readiness Probe Should be Configured"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_43: "Image should use digest"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_23: "Minimize the admission of root containers"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_8: "Liveness Probe Should be Configured"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_13: "Memory limits should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_12: "Memory requests should be set"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_15: "Image Pull Policy should be Always"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
    	FAILED for resource: StatefulSet.default.database-postgresql
    	File: /lessons/099/examples/2-example.yaml:2-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_10: "CPU requests should be set"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_30: "Apply security context to your containers"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_29: "Apply security context to your pods and containers"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_9: "Readiness Probe Should be Configured"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_43: "Image should use digest"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_23: "Minimize the admission of root containers"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_8: "Liveness Probe Should be Configured"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_13: "Memory limits should be set"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_12: "Memory requests should be set"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
    	FAILED for resource: Deployment.staging.first-app-v1
    	File: /lessons/156/fargate-example/1-deployment.yaml:2-31
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: first-app-v1
    		6  |   namespace: staging
    		7  | spec:
    		8  |   replicas: 3
    		9  |   selector:
    		10 |     matchLabels:
    		11 |       app: first-app
    		12 |       version: v1
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: first-app
    		17 |         version: v1
    		18 |         istio: monitor
    		19 |     spec:
    		20 |       containers:
    		21 |         - image: aputra/myapp-lesson155:latest
    		22 |           imagePullPolicy: Always
    		23 |           name: first-app
    		24 |           env:
    		25 |             - name: SERVICE
    		26 |               value: first-app
    		27 |             - name: VERSION
    		28 |               value: v1
    		29 |           ports:
    		30 |             - name: http
    		31 |               containerPort: 8080
    
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_10: "CPU requests should be set"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_30: "Apply security context to your containers"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_29: "Apply security context to your pods and containers"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_9: "Readiness Probe Should be Configured"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_43: "Image should use digest"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_23: "Minimize the admission of root containers"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_8: "Liveness Probe Should be Configured"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_13: "Memory limits should be set"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_12: "Memory requests should be set"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
    	FAILED for resource: Pod.default.app-2
    	File: /lessons/156/efs-example/2-pod-2.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-2
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-2
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_10: "CPU requests should be set"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_30: "Apply security context to your containers"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_29: "Apply security context to your pods and containers"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_9: "Readiness Probe Should be Configured"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_43: "Image should use digest"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_23: "Minimize the admission of root containers"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_8: "Liveness Probe Should be Configured"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_13: "Memory limits should be set"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_12: "Memory requests should be set"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
    	FAILED for resource: Pod.default.app-1
    	File: /lessons/156/efs-example/1-pod-1.yaml:2-19
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
    
    		2  | apiVersion: v1
    		3  | kind: Pod
    		4  | metadata:
    		5  |   name: app-1
    		6  |   namespace: default
    		7  | spec:
    		8  |   containers:
    		9  |     - name: app-1
    		10 |       image: busybox
    		11 |       command: ["/bin/sh"]
    		12 |       args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
    		13 |       volumeMounts:
    		14 |         - name: persistent-storage
    		15 |           mountPath: /data
    		16 |   volumes:
    		17 |     - name: persistent-storage
    		18 |       persistentVolumeClaim:
    		19 |         claimName: app
    
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_10: "CPU requests should be set"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_30: "Apply security context to your containers"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_29: "Apply security context to your pods and containers"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_9: "Readiness Probe Should be Configured"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_43: "Image should use digest"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_23: "Minimize the admission of root containers"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_8: "Liveness Probe Should be Configured"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_13: "Memory limits should be set"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_12: "Memory requests should be set"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_15: "Image Pull Policy should be Always"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
    	FAILED for resource: StatefulSet.default.web
    	File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: StatefulSet
    		4  | metadata:
    		5  |   name: web
    		6  |   namespace: default
    		7  | spec:
    		8  |   selector:
    		9  |     matchLabels:
    		10 |       app: nginx
    		11 |   serviceName: nginx
    		12 |   replicas: 1
    		13 |   minReadySeconds: 10
    		14 |   template:
    		15 |     metadata:
    		16 |       labels:
    		17 |         app: nginx
    		18 |     spec:
    		19 |       containers:
    		20 |         - name: nginx
    		21 |           image: registry.k8s.io/nginx-slim:0.8
    		22 |           ports:
    		23 |             - containerPort: 80
    		24 |               name: web
    		25 |           volumeMounts:
    		26 |             - name: www
    		27 |               mountPath: /usr/share/nginx/html
    		28 |   volumeClaimTemplates:
    		29 |     - metadata:
    		30 |         name: www
    		31 |       spec:
    		32 |         accessModes: ["ReadWriteOnce"]
    		33 |         storageClassName: "gp2"
    		34 |         resources:
    		35 |           requests:
    		36 |             storage: 10Gi
    
    Check: CKV_K8S_11: "CPU limits should be set"
    	FAILED for resource: Deployment.default.nginx-deployment
    	File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: nginx-deployment
    		6  |   labels:
    		7  |     app: nginx
    		8  | spec:
    		9  |   replicas: 5
    		10 |   selector:
    		11 |     matchLabels:
    		12 |       app: nginx
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: nginx
    		17 |     spec:
    		18 |       containers:
    		19 |         - name: nginx
    		20 |           image: nginx:1.14.2
    		21 |           resources:
    		22 |             requests:
    		23 |               cpu: "2"
    		24 |               memory: 4Gi
    		25 |           ports:
    		26 |             - containerPort: 80
    
    Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
    	FAILED for resource: Deployment.default.nginx-deployment
    	File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: nginx-deployment
    		6  |   labels:
    		7  |     app: nginx
    		8  | spec:
    		9  |   replicas: 5
    		10 |   selector:
    		11 |     matchLabels:
    		12 |       app: nginx
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: nginx
    		17 |     spec:
    		18 |       containers:
    		19 |         - name: nginx
    		20 |           image: nginx:1.14.2
    		21 |           resources:
    		22 |             requests:
    		23 |               cpu: "2"
    		24 |               memory: 4Gi
    		25 |           ports:
    		26 |             - containerPort: 80
    
    Check: CKV_K8S_21: "The default namespace should not be used"
    	FAILED for resource: Deployment.default.nginx-deployment
    	File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: nginx-deployment
    		6  |   labels:
    		7  |     app: nginx
    		8  | spec:
    		9  |   replicas: 5
    		10 |   selector:
    		11 |     matchLabels:
    		12 |       app: nginx
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: nginx
    		17 |     spec:
    		18 |       containers:
    		19 |         - name: nginx
    		20 |           image: nginx:1.14.2
    		21 |           resources:
    		22 |             requests:
    		23 |               cpu: "2"
    		24 |               memory: 4Gi
    		25 |           ports:
    		26 |             - containerPort: 80
    
    Check: CKV_K8S_30: "Apply security context to your containers"
    	FAILED for resource: Deployment.default.nginx-deployment
    	File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
    
    		2  | apiVersion: apps/v1
    		3  | kind: Deployment
    		4  | metadata:
    		5  |   name: nginx-deployment
    		6  |   labels:
    		7  |     app: nginx
    		8  | spec:
    		9  |   replicas: 5
    		10 |   selector:
    		11 |     matchLabels:
    		12 |       app: nginx
    		13 |   template:
    		14 |     metadata:
    		15 |       labels:
    		16 |         app: nginx
    		17 |     spec:
    		18 |       containers:
    		19 |         - name: nginx
    		20 |