Repository | aws-samples / amazon-ecs-fullstack-app-terraform |
Description | Fullstack app using Amazon ECS & DevOps methodologies (IaC with Terraform and CI/CD with AWS CodePipeline) |
Stars | 114 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 170, Failed checks: 106, Skipped checks: 0
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.codebuild_client.aws_codebuild_project.aws_codebuild
File: /Infrastructure/Modules/CodeBuild/main.tf:8-96
Calling File: /Infrastructure/main.tf:319-333
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: module.codebuild_client.aws_codebuild_project.aws_codebuild
File: /Infrastructure/Modules/CodeBuild/main.tf:8-96
Calling File: /Infrastructure/main.tf:319-333
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.codebuild_server.aws_codebuild_project.aws_codebuild
File: /Infrastructure/Modules/CodeBuild/main.tf:8-96
Calling File: /Infrastructure/main.tf:301-316
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: module.codebuild_server.aws_codebuild_project.aws_codebuild
File: /Infrastructure/Modules/CodeBuild/main.tf:8-96
Calling File: /Infrastructure/main.tf:301-316
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: module.codepipeline.aws_codepipeline.aws_codepipeline
File: /Infrastructure/Modules/CodePipeline/main.tf:8-114
Calling File: /Infrastructure/main.tf:362-379
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: module.dynamodb_table.aws_dynamodb_table.dynamodb_table
File: /Infrastructure/Modules/Dynamodb/main.tf:8-22
Calling File: /Infrastructure/main.tf:388-391
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
8 | resource "aws_dynamodb_table" "dynamodb_table" {
9 | name = var.name
10 | billing_mode = "PAY_PER_REQUEST"
11 | hash_key = var.hash_key
12 | range_key = var.range_key
13 |
14 | dynamic "attribute" {
15 | for_each = var.attributes
16 | content {
17 | name = attribute.value.name
18 | type = attribute.value.type
19 | }
20 | }
21 |
22 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: module.dynamodb_table.aws_dynamodb_table.dynamodb_table
File: /Infrastructure/Modules/Dynamodb/main.tf:8-22
Calling File: /Infrastructure/main.tf:388-391
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
8 | resource "aws_dynamodb_table" "dynamodb_table" {
9 | name = var.name
10 | billing_mode = "PAY_PER_REQUEST"
11 | hash_key = var.hash_key
12 | range_key = var.range_key
13 |
14 | dynamic "attribute" {
15 | for_each = var.attributes
16 | content {
17 | name = attribute.value.name
18 | type = attribute.value.type
19 | }
20 | }
21 |
22 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.ecr_client.aws_ecr_repository.ecr_repository
File: /Infrastructure/Modules/ECR/main.tf:8-11
Calling File: /Infrastructure/main.tf:153-156
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
8 | resource "aws_ecr_repository" "ecr_repository" {
9 | name = var.name
10 | image_tag_mutability = "MUTABLE"
11 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.ecr_client.aws_ecr_repository.ecr_repository
File: /Infrastructure/Modules/ECR/main.tf:8-11
Calling File: /Infrastructure/main.tf:153-156
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
8 | resource "aws_ecr_repository" "ecr_repository" {
9 | name = var.name
10 | image_tag_mutability = "MUTABLE"
11 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.ecr_client.aws_ecr_repository.ecr_repository
File: /Infrastructure/Modules/ECR/main.tf:8-11
Calling File: /Infrastructure/main.tf:153-156
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
8 | resource "aws_ecr_repository" "ecr_repository" {
9 | name = var.name
10 | image_tag_mutability = "MUTABLE"
11 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.ecr_server.aws_ecr_repository.ecr_repository
File: /Infrastructure/Modules/ECR/main.tf:8-11
Calling File: /Infrastructure/main.tf:147-150
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
8 | resource "aws_ecr_repository" "ecr_repository" {
9 | name = var.name
10 | image_tag_mutability = "MUTABLE"
11 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.ecr_server.aws_ecr_repository.ecr_repository
File: /Infrastructure/Modules/ECR/main.tf:8-11
Calling File: /Infrastructure/main.tf:147-150
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
8 | resource "aws_ecr_repository" "ecr_repository" {
9 | name = var.name
10 | image_tag_mutability = "MUTABLE"
11 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.ecr_server.aws_ecr_repository.ecr_repository
File: /Infrastructure/Modules/ECR/main.tf:8-11
Calling File: /Infrastructure/main.tf:147-150
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
8 | resource "aws_ecr_repository" "ecr_repository" {
9 | name = var.name
10 | image_tag_mutability = "MUTABLE"
11 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: module.ecs_cluster.aws_ecs_cluster.ecs_cluster
File: /Infrastructure/Modules/ECS/Cluster/main.tf:8-10
Calling File: /Infrastructure/main.tf:206-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
8 | resource "aws_ecs_cluster" "ecs_cluster" {
9 | name = "Cluster-${var.name}"
10 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.ecs_taks_definition_client.aws_cloudwatch_log_group.TaskDF-Log_Group
File: /Infrastructure/Modules/ECS/TaskDefinition/main.tf:45-48
Calling File: /Infrastructure/main.tf:173-184
45 | resource "aws_cloudwatch_log_group" "TaskDF-Log_Group" {
46 | name = "/ecs/task-definition-${var.name}"
47 | retention_in_days = 30
48 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: module.ecs_taks_definition_client.aws_cloudwatch_log_group.TaskDF-Log_Group
File: /Infrastructure/Modules/ECS/TaskDefinition/main.tf:45-48
Calling File: /Infrastructure/main.tf:173-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
45 | resource "aws_cloudwatch_log_group" "TaskDF-Log_Group" {
46 | name = "/ecs/task-definition-${var.name}"
47 | retention_in_days = 30
48 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.ecs_taks_definition_server.aws_cloudwatch_log_group.TaskDF-Log_Group
File: /Infrastructure/Modules/ECS/TaskDefinition/main.tf:45-48
Calling File: /Infrastructure/main.tf:159-170
45 | resource "aws_cloudwatch_log_group" "TaskDF-Log_Group" {
46 | name = "/ecs/task-definition-${var.name}"
47 | retention_in_days = 30
48 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: module.ecs_taks_definition_server.aws_cloudwatch_log_group.TaskDF-Log_Group
File: /Infrastructure/Modules/ECS/TaskDefinition/main.tf:45-48
Calling File: /Infrastructure/main.tf:159-170
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
45 | resource "aws_cloudwatch_log_group" "TaskDF-Log_Group" {
46 | name = "/ecs/task-definition-${var.name}"
47 | retention_in_days = 30
48 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.codedeploy_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:276-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.codedeploy_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:276-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.codedeploy_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:276-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.codedeploy_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:276-280
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.codedeploy_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:276-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.codedeploy_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:276-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.codedeploy_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:276-280
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:270-274
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:270-274
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:270-274
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:270-274
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.devops_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:270-274
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.devops_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:270-274
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.devops_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:270-274
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.ecs_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:130-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.ecs_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:130-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.ecs_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:130-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ecs_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:130-136
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.ecs_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:130-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.ecs_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:130-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ecs_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:130-136
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.ecs_role_policy.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:139-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.ecs_role_policy.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:139-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.ecs_role_policy.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:139-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ecs_role_policy.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:139-144
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.ecs_role_policy.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:139-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.ecs_role_policy.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:139-144
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.ecs_role_policy.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:139-144
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.policy_devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:283-292
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.policy_devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:283-292
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.policy_devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:283-292
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.policy_devops_role.aws_iam_policy_document.role_policy_devops_role
File: /Infrastructure/Modules/IAM/main.tf:175-304
Calling File: /Infrastructure/main.tf:283-292
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.policy_devops_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:283-292
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.policy_devops_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:283-292
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.policy_devops_role.aws_iam_policy_document.role_policy_ecs_task_role
File: /Infrastructure/Modules/IAM/main.tf:306-337
Calling File: /Infrastructure/main.tf:283-292
306 | data "aws_iam_policy_document" "role_policy_ecs_task_role" {
307 | statement {
308 | sid = "AllowS3Actions"
309 | effect = "Allow"
310 | actions = [
311 | "s3:GetObject",
312 | "s3:ListBucket"
313 | ]
314 | resources = var.s3_bucket_assets
315 | }
316 | statement {
317 | sid = "AllowIAMPassRole"
318 | effect = "Allow"
319 | actions = [
320 | "iam:PassRole"
321 | ]
322 | resources = ["*"]
323 | }
324 | statement {
325 | sid = "AllowDynamodbActions"
326 | effect = "Allow"
327 | actions = [
328 | "dynamodb:BatchGetItem",
329 | "dynamodb:Describe*",
330 | "dynamodb:List*",
331 | "dynamodb:GetItem",
332 | "dynamodb:Query",
333 | "dynamodb:Scan",
334 | ]
335 | resources = var.dynamodb_table
336 | }
337 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.networking.aws_subnet.public_subnets[0]
File: /Infrastructure/Modules/Networking/main.tf:27-36
Calling File: /Infrastructure/main.tf:31-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
27 | resource "aws_subnet" "public_subnets" {
28 | count = 2
29 | availability_zone = data.aws_availability_zones.az_availables.names[count.index]
30 | vpc_id = aws_vpc.aws_vpc.id
31 | cidr_block = cidrsubnet(aws_vpc.aws_vpc.cidr_block, 7, count.index + 1)
32 | map_public_ip_on_launch = true
33 | tags = {
34 | Name = "public_subnet_${count.index}_${var.name}"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.networking.aws_subnet.public_subnets[1]
File: /Infrastructure/Modules/Networking/main.tf:27-36
Calling File: /Infrastructure/main.tf:31-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
27 | resource "aws_subnet" "public_subnets" {
28 | count = 2
29 | availability_zone = data.aws_availability_zones.az_availables.names[count.index]
30 | vpc_id = aws_vpc.aws_vpc.id
31 | cidr_block = cidrsubnet(aws_vpc.aws_vpc.cidr_block, 7, count.index + 1)
32 | map_public_ip_on_launch = true
33 | tags = {
34 | Name = "public_subnet_${count.index}_${var.name}"
35 | }
36 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: module.sns.aws_sns_topic.sns_notifications
File: /Infrastructure/Modules/SNS/main.tf:8-10
Calling File: /Infrastructure/main.tf:295-298
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
8 | resource "aws_sns_topic" "sns_notifications" {
9 | name = var.sns_name
10 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.security_group_alb_client.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Calling File: /Infrastructure/main.tf:100-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.security_group_alb_client.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Calling File: /Infrastructure/main.tf:100-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.security_group_alb_server.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Calling File: /Infrastructure/main.tf:90-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.security_group_alb_server.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Calling File: /Infrastructure/main.tf:90-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.security_group_ecs_task_client.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Calling File: /Infrastructure/main.tf:196-203
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.security_group_ecs_task_server.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Calling File: /Infrastructure/main.tf:187-194
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_assets.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.s3_codepipeline.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_assets.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.s3_codepipeline.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.networking.aws_vpc.aws_vpc
File: /Infrastructure/Modules/Networking/main.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
9 | resource "aws_vpc" "aws_vpc" {
10 | cidr_block = var.cidr[0]
11 | instance_tenancy = "default"
12 | enable_dns_hostnames = true
13 | enable_dns_support = true
14 | tags = {
15 | Name = "vpc_${var.name}"
16 | }
17 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb_client.aws_alb_listener.https_listener
File: /Infrastructure/Modules/ALB/main.tf:20-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
20 | resource "aws_alb_listener" "https_listener" {
21 | count = var.create_alb == true ? (var.enable_https == true ? 1 : 0) : 0
22 | load_balancer_arn = aws_alb.alb[0].id
23 | port = "443"
24 | protocol = "HTTPS"
25 |
26 | default_action {
27 | target_group_arn = var.target_group
28 | type = "forward"
29 | }
30 |
31 | lifecycle {
32 | // to avoid changes generated by CodeDeploy changes
33 | ignore_changes = [default_action]
34 | }
35 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb_client.aws_alb_listener.http_listener
File: /Infrastructure/Modules/ALB/main.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
38 | resource "aws_alb_listener" "http_listener" {
39 | count = var.create_alb == true ? 1 : 0
40 | load_balancer_arn = aws_alb.alb[0].id
41 | port = "80"
42 | protocol = "HTTP"
43 |
44 | default_action {
45 | target_group_arn = var.target_group
46 | type = "forward"
47 | }
48 |
49 | lifecycle {
50 | // to avoid changes generated by CodeDeploy changes
51 | ignore_changes = [default_action]
52 | }
53 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb_server.aws_alb_listener.https_listener
File: /Infrastructure/Modules/ALB/main.tf:20-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
20 | resource "aws_alb_listener" "https_listener" {
21 | count = var.create_alb == true ? (var.enable_https == true ? 1 : 0) : 0
22 | load_balancer_arn = aws_alb.alb[0].id
23 | port = "443"
24 | protocol = "HTTPS"
25 |
26 | default_action {
27 | target_group_arn = var.target_group
28 | type = "forward"
29 | }
30 |
31 | lifecycle {
32 | // to avoid changes generated by CodeDeploy changes
33 | ignore_changes = [default_action]
34 | }
35 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.alb_server.aws_alb_listener.http_listener
File: /Infrastructure/Modules/ALB/main.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
38 | resource "aws_alb_listener" "http_listener" {
39 | count = var.create_alb == true ? 1 : 0
40 | load_balancer_arn = aws_alb.alb[0].id
41 | port = "80"
42 | protocol = "HTTP"
43 |
44 | default_action {
45 | target_group_arn = var.target_group
46 | type = "forward"
47 | }
48 |
49 | lifecycle {
50 | // to avoid changes generated by CodeDeploy changes
51 | ignore_changes = [default_action]
52 | }
53 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_client_blue.aws_alb_listener.https_listener
File: /Infrastructure/Modules/ALB/main.tf:20-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
20 | resource "aws_alb_listener" "https_listener" {
21 | count = var.create_alb == true ? (var.enable_https == true ? 1 : 0) : 0
22 | load_balancer_arn = aws_alb.alb[0].id
23 | port = "443"
24 | protocol = "HTTPS"
25 |
26 | default_action {
27 | target_group_arn = var.target_group
28 | type = "forward"
29 | }
30 |
31 | lifecycle {
32 | // to avoid changes generated by CodeDeploy changes
33 | ignore_changes = [default_action]
34 | }
35 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_client_blue.aws_alb_listener.http_listener
File: /Infrastructure/Modules/ALB/main.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
38 | resource "aws_alb_listener" "http_listener" {
39 | count = var.create_alb == true ? 1 : 0
40 | load_balancer_arn = aws_alb.alb[0].id
41 | port = "80"
42 | protocol = "HTTP"
43 |
44 | default_action {
45 | target_group_arn = var.target_group
46 | type = "forward"
47 | }
48 |
49 | lifecycle {
50 | // to avoid changes generated by CodeDeploy changes
51 | ignore_changes = [default_action]
52 | }
53 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_client_green.aws_alb_listener.https_listener
File: /Infrastructure/Modules/ALB/main.tf:20-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
20 | resource "aws_alb_listener" "https_listener" {
21 | count = var.create_alb == true ? (var.enable_https == true ? 1 : 0) : 0
22 | load_balancer_arn = aws_alb.alb[0].id
23 | port = "443"
24 | protocol = "HTTPS"
25 |
26 | default_action {
27 | target_group_arn = var.target_group
28 | type = "forward"
29 | }
30 |
31 | lifecycle {
32 | // to avoid changes generated by CodeDeploy changes
33 | ignore_changes = [default_action]
34 | }
35 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_client_green.aws_alb_listener.http_listener
File: /Infrastructure/Modules/ALB/main.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
38 | resource "aws_alb_listener" "http_listener" {
39 | count = var.create_alb == true ? 1 : 0
40 | load_balancer_arn = aws_alb.alb[0].id
41 | port = "80"
42 | protocol = "HTTP"
43 |
44 | default_action {
45 | target_group_arn = var.target_group
46 | type = "forward"
47 | }
48 |
49 | lifecycle {
50 | // to avoid changes generated by CodeDeploy changes
51 | ignore_changes = [default_action]
52 | }
53 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_server_blue.aws_alb_listener.https_listener
File: /Infrastructure/Modules/ALB/main.tf:20-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
20 | resource "aws_alb_listener" "https_listener" {
21 | count = var.create_alb == true ? (var.enable_https == true ? 1 : 0) : 0
22 | load_balancer_arn = aws_alb.alb[0].id
23 | port = "443"
24 | protocol = "HTTPS"
25 |
26 | default_action {
27 | target_group_arn = var.target_group
28 | type = "forward"
29 | }
30 |
31 | lifecycle {
32 | // to avoid changes generated by CodeDeploy changes
33 | ignore_changes = [default_action]
34 | }
35 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_server_blue.aws_alb_listener.http_listener
File: /Infrastructure/Modules/ALB/main.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
38 | resource "aws_alb_listener" "http_listener" {
39 | count = var.create_alb == true ? 1 : 0
40 | load_balancer_arn = aws_alb.alb[0].id
41 | port = "80"
42 | protocol = "HTTP"
43 |
44 | default_action {
45 | target_group_arn = var.target_group
46 | type = "forward"
47 | }
48 |
49 | lifecycle {
50 | // to avoid changes generated by CodeDeploy changes
51 | ignore_changes = [default_action]
52 | }
53 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_server_green.aws_alb_listener.https_listener
File: /Infrastructure/Modules/ALB/main.tf:20-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
20 | resource "aws_alb_listener" "https_listener" {
21 | count = var.create_alb == true ? (var.enable_https == true ? 1 : 0) : 0
22 | load_balancer_arn = aws_alb.alb[0].id
23 | port = "443"
24 | protocol = "HTTPS"
25 |
26 | default_action {
27 | target_group_arn = var.target_group
28 | type = "forward"
29 | }
30 |
31 | lifecycle {
32 | // to avoid changes generated by CodeDeploy changes
33 | ignore_changes = [default_action]
34 | }
35 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.target_group_server_green.aws_alb_listener.http_listener
File: /Infrastructure/Modules/ALB/main.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
38 | resource "aws_alb_listener" "http_listener" {
39 | count = var.create_alb == true ? 1 : 0
40 | load_balancer_arn = aws_alb.alb[0].id
41 | port = "80"
42 | protocol = "HTTP"
43 |
44 | default_action {
45 | target_group_arn = var.target_group
46 | type = "forward"
47 | }
48 |
49 | lifecycle {
50 | // to avoid changes generated by CodeDeploy changes
51 | ignore_changes = [default_action]
52 | }
53 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.alb_client.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.alb_server.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.target_group_client_blue.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.target_group_client_green.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.target_group_server_blue.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.target_group_server_green.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.alb_client.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.alb_server.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.target_group_client_blue.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.target_group_client_green.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.target_group_server_blue.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.target_group_server_green.aws_alb.alb
File: /Infrastructure/Modules/ALB/main.tf:8-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
8 | resource "aws_alb" "alb" {
9 | count = var.create_alb == true ? 1 : 0
10 | name = "alb-${var.name}"
11 | subnets = [var.subnets[0], var.subnets[1]]
12 | security_groups = [var.security_group]
13 | load_balancer_type = "application"
14 | internal = false
15 | enable_http2 = true
16 | idle_timeout = 30
17 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_assets.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.s3_codepipeline.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.security_group_alb_client.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.security_group_alb_server.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.security_group_ecs_task_client.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.security_group_ecs_task_server.aws_security_group.sg
File: /Infrastructure/Modules/SecurityGroup/main.tf:8-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
8 | resource "aws_security_group" "sg" {
9 | name = var.name
10 | description = var.description
11 | vpc_id = var.vpc_id
12 |
13 | ingress {
14 | protocol = "tcp"
15 | from_port = var.ingress_port
16 | to_port = var.ingress_port
17 | cidr_blocks = var.cidr_blocks_ingress
18 | security_groups = var.security_groups
19 | }
20 | egress {
21 | from_port = var.egress_port
22 | to_port = var.egress_port
23 | protocol = "-1"
24 | cidr_blocks = var.cidr_blocks_egress
25 | }
26 |
27 | tags = {
28 | Name = var.name
29 | }
30 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_assets.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.s3_codepipeline.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.networking.aws_vpc.aws_vpc
File: /Infrastructure/Modules/Networking/main.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
9 | resource "aws_vpc" "aws_vpc" {
10 | cidr_block = var.cidr[0]
11 | instance_tenancy = "default"
12 | enable_dns_hostnames = true
13 | enable_dns_support = true
14 | tags = {
15 | Name = "vpc_${var.name}"
16 | }
17 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_assets.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.s3_codepipeline.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_assets.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.s3_codepipeline.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_assets.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.s3_codepipeline.aws_s3_bucket.s3_bucket
File: /Infrastructure/Modules/S3/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "s3_bucket" {
9 | bucket = var.bucket_name
10 | acl = "private"
11 | force_destroy = true
12 | tags = {
13 | Name = var.bucket_name
14 | }
15 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
dockerfile scan results:
Passed checks: 78, Failed checks: 6, Skipped checks: 0
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /Code/server/Dockerfile.FROM
File: /Code/server/Dockerfile:4-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
4 | FROM public.ecr.aws/bitnami/node:latest
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /Code/server/Dockerfile.
File: /Code/server/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: MIT-0
3 |
4 | FROM public.ecr.aws/bitnami/node:latest
5 |
6 | RUN mkdir -p /home/node/app/node_modules
7 |
8 | WORKDIR /home/node/app
9 |
10 | COPY package*.json ./
11 |
12 | RUN npm install
13 |
14 | COPY . .
15 |
16 | EXPOSE 3001
17 |
18 | CMD [ "npm", "start" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /Code/server/Dockerfile.
File: /Code/server/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: MIT-0
3 |
4 | FROM public.ecr.aws/bitnami/node:latest
5 |
6 | RUN mkdir -p /home/node/app/node_modules
7 |
8 | WORKDIR /home/node/app
9 |
10 | COPY package*.json ./
11 |
12 | RUN npm install
13 |
14 | COPY . .
15 |
16 | EXPOSE 3001
17 |
18 | CMD [ "npm", "start" ]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /Code/client/Dockerfile.FROM
File: /Code/client/Dockerfile:13-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
13 | FROM public.ecr.aws/nginx/nginx:latest as production-stage
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /Code/client/Dockerfile.
File: /Code/client/Dockerfile:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: MIT-0
3 |
4 | # build stage
5 | FROM public.ecr.aws/bitnami/node:16 as build-stage
6 | WORKDIR /app
7 | COPY package*.json ./
8 | RUN npm install
9 | COPY . .
10 | RUN npm run build
11 |
12 | # production stage
13 | FROM public.ecr.aws/nginx/nginx:latest as production-stage
14 | COPY --from=build-stage /app/dist /usr/share/nginx/html
15 | EXPOSE 80
16 | CMD ["nginx", "-g", "daemon off;"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /Code/client/Dockerfile.
File: /Code/client/Dockerfile:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | # SPDX-License-Identifier: MIT-0
3 |
4 | # build stage
5 | FROM public.ecr.aws/bitnami/node:16 as build-stage
6 | WORKDIR /app
7 | COPY package*.json ./
8 | RUN npm install
9 | COPY . .
10 | RUN npm run build
11 |
12 | # production stage
13 | FROM public.ecr.aws/nginx/nginx:latest as production-stage
14 | COPY --from=build-stage /app/dist /usr/share/nginx/html
15 | EXPOSE 80
16 | CMD ["nginx", "-g", "daemon off;"]
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools