Repository | chgasparoto / curso-aws-com-terraform |
Description | 🎦 🇧🇷 Arquivos do curso "DevOps: AWS com Terraform. Automatizando sua infraestrutura" |
Stars | 239 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:04,911 [MainThread ] [WARNI] Failed to download module github.com/chgasparoto/terraform-s3-object-notification:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 176, Failed checks: 182, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /01-terraform-basico/03-variaveis/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "web" {
18 | ami = var.instance_ami
19 | instance_type = var.instance_type
20 |
21 | tags = var.instance_tags
22 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /01-terraform-basico/03-variaveis/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "web" {
18 | ami = var.instance_ami
19 | instance_type = var.instance_type
20 |
21 | tags = var.instance_tags
22 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /01-terraform-basico/03-variaveis/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "web" {
18 | ami = var.instance_ami
19 | instance_type = var.instance_type
20 |
21 | tags = var.instance_tags
22 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /01-terraform-basico/03-variaveis/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "web" {
18 | ami = var.instance_ami
19 | instance_type = var.instance_type
20 |
21 | tags = var.instance_tags
22 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:16-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
16 | resource "aws_s3_bucket_object" "this" {
17 | bucket = aws_s3_bucket.this.bucket
18 | key = "config/${local.ip_filepath}"
19 | source = local.ip_filepath
20 | etag = filemd5(local.ip_filepath)
21 | content_type = "application/json"
22 |
23 | tags = local.common_tags
24 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.random
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
26 | resource "aws_s3_bucket_object" "random" {
27 | bucket = aws_s3_bucket.this.bucket
28 | key = "config/${random_pet.bucket.id}.json"
29 | source = local.ip_filepath
30 | etag = filemd5(local.ip_filepath)
31 | content_type = "application/json"
32 |
33 | tags = local.common_tags
34 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.lock-table
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:34-44
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
34 | resource "aws_dynamodb_table" "lock-table" {
35 | name = "tflock-${aws_s3_bucket.remote-state.bucket}"
36 | read_capacity = 5
37 | write_capacity = 5
38 | hash_key = "LockID"
39 |
40 | attribute {
41 | name = "LockID"
42 | type = "S"
43 | }
44 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.lock-table
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:34-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
34 | resource "aws_dynamodb_table" "lock-table" {
35 | name = "tflock-${aws_s3_bucket.remote-state.bucket}"
36 | read_capacity = 5
37 | write_capacity = 5
38 | hash_key = "LockID"
39 |
40 | attribute {
41 | name = "LockID"
42 | type = "S"
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/01-remote-state/01-usando-remote-state/ec2.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "web" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 |
5 | tags = {
6 | Name = "Remote State"
7 | Env = "dev"
8 | }
9 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/01-remote-state/01-usando-remote-state/ec2.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "web" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 |
5 | tags = {
6 | Name = "Remote State"
7 | Env = "dev"
8 | }
9 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/01-remote-state/01-usando-remote-state/ec2.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "web" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 |
5 | tags = {
6 | Name = "Remote State"
7 | Env = "dev"
8 | }
9 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/01-remote-state/01-usando-remote-state/ec2.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "web" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 |
5 | tags = {
6 | Name = "Remote State"
7 | Env = "dev"
8 | }
9 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.server
File: /02-terraform-intermediario/02-builtin-functions/ec2.tf:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "server" {
2 | count = local.instance_number <= 0 ? 0 : local.instance_number
3 |
4 | ami = var.instance_ami
5 | instance_type = lookup(var.instance_type, var.env)
6 |
7 | tags = merge(
8 | local.common_tags,
9 | {
10 | Project = "Curso AWS com Terraform"
11 | Env = format("%s", var.env)
12 | Name = format("Instance %d", count.index + 1)
13 | }
14 | )
15 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.server
File: /02-terraform-intermediario/02-builtin-functions/ec2.tf:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "server" {
2 | count = local.instance_number <= 0 ? 0 : local.instance_number
3 |
4 | ami = var.instance_ami
5 | instance_type = lookup(var.instance_type, var.env)
6 |
7 | tags = merge(
8 | local.common_tags,
9 | {
10 | Project = "Curso AWS com Terraform"
11 | Env = format("%s", var.env)
12 | Name = format("Instance %d", count.index + 1)
13 | }
14 | )
15 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.server
File: /02-terraform-intermediario/02-builtin-functions/ec2.tf:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "server" {
2 | count = local.instance_number <= 0 ? 0 : local.instance_number
3 |
4 | ami = var.instance_ami
5 | instance_type = lookup(var.instance_type, var.env)
6 |
7 | tags = merge(
8 | local.common_tags,
9 | {
10 | Project = "Curso AWS com Terraform"
11 | Env = format("%s", var.env)
12 | Name = format("Instance %d", count.index + 1)
13 | }
14 | )
15 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.server
File: /02-terraform-intermediario/02-builtin-functions/ec2.tf:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "server" {
2 | count = local.instance_number <= 0 ? 0 : local.instance_number
3 |
4 | ami = var.instance_ami
5 | instance_type = lookup(var.instance_type, var.env)
6 |
7 | tags = merge(
8 | local.common_tags,
9 | {
10 | Project = "Curso AWS com Terraform"
11 | Env = format("%s", var.env)
12 | Name = format("Instance %d", count.index + 1)
13 | }
14 | )
15 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:10-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
10 | resource "aws_s3_bucket_object" "this" {
11 | bucket = aws_s3_bucket.this.bucket
12 | key = "${uuid()}.${local.file_ext}"
13 | source = data.archive_file.json.output_path
14 | etag = filemd5(data.archive_file.json.output_path)
15 | content_type = "application/zip"
16 |
17 | tags = local.common_tags
18 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/03-data-source/ec2/ec2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "web" {
2 | ami = data.aws_ami.ubuntu.id
3 | instance_type = var.instance_type
4 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/03-data-source/ec2/ec2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "web" {
2 | ami = data.aws_ami.ubuntu.id
3 | instance_type = var.instance_type
4 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/03-data-source/ec2/ec2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "web" {
2 | ami = data.aws_ami.ubuntu.id
3 | instance_type = var.instance_type
4 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/03-data-source/ec2/ec2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "web" {
2 | ami = data.aws_ami.ubuntu.id
3 | instance_type = var.instance_type
4 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:9-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
9 | resource "aws_s3_bucket_object" "this" {
10 | bucket = aws_s3_bucket.this.bucket
11 | key = "instances/instances-${local.instance.ami}.json"
12 | source = "outputs.json"
13 | etag = filemd5("outputs.json")
14 | content_type = "application/json"
15 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.this["ci_cd"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.this["ci_cd"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.this["ci_cd"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.this["ci_cd"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.this["web"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.this["web"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.this["web"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.this["web"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.the-accounts["Dottie"]
File: /02-terraform-intermediario/04-foreach-for-splat/iam.tf:1-4
1 | resource "aws_iam_user" "the-accounts" {
2 | for_each = toset(["Todd", "James", "Alice", "Dottie"])
3 | name = each.key # note: each.key and each.value are the same for a set
4 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.the-accounts["James"]
File: /02-terraform-intermediario/04-foreach-for-splat/iam.tf:1-4
1 | resource "aws_iam_user" "the-accounts" {
2 | for_each = toset(["Todd", "James", "Alice", "Dottie"])
3 | name = each.key # note: each.key and each.value are the same for a set
4 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.the-accounts["Alice"]
File: /02-terraform-intermediario/04-foreach-for-splat/iam.tf:1-4
1 | resource "aws_iam_user" "the-accounts" {
2 | for_each = toset(["Todd", "James", "Alice", "Dottie"])
3 | name = each.key # note: each.key and each.value are the same for a set
4 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.the-accounts["Todd"]
File: /02-terraform-intermediario/04-foreach-for-splat/iam.tf:1-4
1 | resource "aws_iam_user" "the-accounts" {
2 | for_each = toset(["Todd", "James", "Alice", "Dottie"])
3 | name = each.key # note: each.key and each.value are the same for a set
4 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.bucket.module.objects.aws_s3_bucket_object.this
File: /02-terraform-intermediario/05-modules/s3_module/s3_object/main.tf:1-7
Calling File: /02-terraform-intermediario/05-modules/s3_module/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
1 | resource "aws_s3_bucket_object" "this" {
2 | bucket = var.bucket
3 | key = var.key
4 | source = var.src
5 | etag = filemd5(var.src)
6 | content_type = lookup(var.file_types, regex("\\.[^\\.]+\\z", var.src), var.default_file_type)
7 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: module.website.module.objects.aws_s3_bucket_object.this
File: /02-terraform-intermediario/05-modules/s3_module/s3_object/main.tf:1-7
Calling File: /02-terraform-intermediario/05-modules/s3_module/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
1 | resource "aws_s3_bucket_object" "this" {
2 | bucket = var.bucket
3 | key = var.key
4 | source = var.src
5 | etag = filemd5(var.src)
6 | content_type = lookup(var.file_types, regex("\\.[^\\.]+\\z", var.src), var.default_file_type)
7 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/06-workspaces/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
29 | resource "aws_instance" "web" {
30 | count = lookup(var.instance, local.env)["number"]
31 |
32 | ami = lookup(var.instance, local.env)["ami"]
33 | instance_type = lookup(var.instance, local.env)["type"]
34 |
35 | tags = {
36 | Name = "Minha máquina web ${local.env}"
37 | Env = local.env
38 | }
39 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/06-workspaces/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
29 | resource "aws_instance" "web" {
30 | count = lookup(var.instance, local.env)["number"]
31 |
32 | ami = lookup(var.instance, local.env)["ami"]
33 | instance_type = lookup(var.instance, local.env)["type"]
34 |
35 | tags = {
36 | Name = "Minha máquina web ${local.env}"
37 | Env = local.env
38 | }
39 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/06-workspaces/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
29 | resource "aws_instance" "web" {
30 | count = lookup(var.instance, local.env)["number"]
31 |
32 | ami = lookup(var.instance, local.env)["ami"]
33 | instance_type = lookup(var.instance, local.env)["type"]
34 |
35 | tags = {
36 | Name = "Minha máquina web ${local.env}"
37 | Env = local.env
38 | }
39 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/06-workspaces/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
29 | resource "aws_instance" "web" {
30 | count = lookup(var.instance, local.env)["number"]
31 |
32 | ami = lookup(var.instance, local.env)["ami"]
33 | instance_type = lookup(var.instance, local.env)["type"]
34 |
35 | tags = {
36 | Name = "Minha máquina web ${local.env}"
37 | Env = local.env
38 | }
39 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.this[0]
File: /03-site-estatico/terraform/acm.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
1 | resource "aws_acm_certificate" "this" {
2 | count = local.has_domain ? 1 : 0
3 |
4 | provider = aws.us-east-1
5 |
6 | domain_name = local.domain
7 | validation_method = "DNS"
8 | subject_alternative_names = ["*.${local.domain}"]
9 | }
Check: CKV_AWS_68: "CloudFront Distribution should have WAF enabled"
FAILED for resource: aws_cloudfront_distribution.this
File: /03-site-estatico/terraform/cloudfront.tf:5-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_174: "Verify CloudFront Distribution Viewer Certificate is using TLS v1.2"
FAILED for resource: aws_cloudfront_distribution.this
File: /03-site-estatico/terraform/cloudfront.tf:5-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.this
File: /03-site-estatico/terraform/cloudfront.tf:5-67
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_237: "Ensure Create before destroy for API GATEWAY"
FAILED for resource: aws_api_gateway_rest_api.this
File: /04-serverless-app/terraform/api.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-enables-create-before-destroy.html
1 | resource "aws_api_gateway_rest_api" "this" {
2 | name = var.service_name
3 | }
Check: CKV_AWS_217: "Ensure Create before destroy for API deployments"
FAILED for resource: aws_api_gateway_deployment.this
File: /04-serverless-app/terraform/api.tf:41-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-deployments-enable-create-before-destroy.html
41 | resource "aws_api_gateway_deployment" "this" {
42 | rest_api_id = aws_api_gateway_rest_api.this.id
43 | stage_name = "dev"
44 |
45 | depends_on = [aws_api_gateway_integration.this]
46 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.this
File: /04-serverless-app/terraform/dynamo.tf:1-13
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
1 | resource "aws_dynamodb_table" "this" {
2 | hash_key = "TodoId"
3 | name = var.service_name
4 | read_capacity = 5
5 | write_capacity = 5
6 |
7 | attribute {
8 | name = "TodoId"
9 | type = "S"
10 | }
11 |
12 | tags = local.common_tags
13 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.this
File: /04-serverless-app/terraform/dynamo.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
1 | resource "aws_dynamodb_table" "this" {
2 | hash_key = "TodoId"
3 | name = var.service_name
4 | read_capacity = 5
5 | write_capacity = 5
6 |
7 | attribute {
8 | name = "TodoId"
9 | type = "S"
10 | }
11 |
12 | tags = local.common_tags
13 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.s3
File: /04-serverless-app/terraform/iam.tf:14-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
14 | data "aws_iam_policy_document" "s3" {
15 | statement {
16 | sid = "AllowS3AndSNSActions"
17 | effect = "Allow"
18 | resources = ["*"]
19 |
20 | actions = [
21 | "s3:*",
22 | "sns:*",
23 | ]
24 | }
25 |
26 | statement {
27 | sid = "AllowInvokingLambdas"
28 | effect = "Allow"
29 | resources = ["arn:aws:lambda:*:*:function:*"]
30 | actions = ["lambda:InvokeFunction"]
31 | }
32 |
33 | statement {
34 | sid = "AllowCreatingLogGroups"
35 | effect = "Allow"
36 | resources = ["arn:aws:logs:*:*:*"]
37 | actions = ["logs:CreateLogGroup"]
38 | }
39 |
40 | statement {
41 | sid = "AllowWritingLogs"
42 | effect = "Allow"
43 | resources = ["arn:aws:logs:*:*:log-group:/aws/lambda/*:*"]
44 |
45 | actions = [
46 | "logs:CreateLogStream",
47 | "logs:PutLogEvents",
48 | ]
49 | }
50 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.s3
File: /04-serverless-app/terraform/iam.tf:14-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
14 | data "aws_iam_policy_document" "s3" {
15 | statement {
16 | sid = "AllowS3AndSNSActions"
17 | effect = "Allow"
18 | resources = ["*"]
19 |
20 | actions = [
21 | "s3:*",
22 | "sns:*",
23 | ]
24 | }
25 |
26 | statement {
27 | sid = "AllowInvokingLambdas"
28 | effect = "Allow"
29 | resources = ["arn:aws:lambda:*:*:function:*"]
30 | actions = ["lambda:InvokeFunction"]
31 | }
32 |
33 | statement {
34 | sid = "AllowCreatingLogGroups"
35 | effect = "Allow"
36 | resources = ["arn:aws:logs:*:*:*"]
37 | actions = ["logs:CreateLogGroup"]
38 | }
39 |
40 | statement {
41 | sid = "AllowWritingLogs"
42 | effect = "Allow"
43 | resources = ["arn:aws:logs:*:*:log-group:/aws/lambda/*:*"]
44 |
45 | actions = [
46 | "logs:CreateLogStream",
47 | "logs:PutLogEvents",
48 | ]
49 | }
50 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.s3
File: /04-serverless-app/terraform/iam.tf:14-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
14 | data "aws_iam_policy_document" "s3" {
15 | statement {
16 | sid = "AllowS3AndSNSActions"
17 | effect = "Allow"
18 | resources = ["*"]
19 |
20 | actions = [
21 | "s3:*",
22 | "sns:*",
23 | ]
24 | }
25 |
26 | statement {
27 | sid = "AllowInvokingLambdas"
28 | effect = "Allow"
29 | resources = ["arn:aws:lambda:*:*:function:*"]
30 | actions = ["lambda:InvokeFunction"]
31 | }
32 |
33 | statement {
34 | sid = "AllowCreatingLogGroups"
35 | effect = "Allow"
36 | resources = ["arn:aws:logs:*:*:*"]
37 | actions = ["logs:CreateLogGroup"]
38 | }
39 |
40 | statement {
41 | sid = "AllowWritingLogs"
42 | effect = "Allow"
43 | resources = ["arn:aws:logs:*:*:log-group:/aws/lambda/*:*"]
44 |
45 | actions = [
46 | "logs:CreateLogStream",
47 | "logs:PutLogEvents",
48 | ]
49 | }
50 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.s3
File: /04-serverless-app/terraform/iam.tf:14-50
14 | data "aws_iam_policy_document" "s3" {
15 | statement {
16 | sid = "AllowS3AndSNSActions"
17 | effect = "Allow"
18 | resources = ["*"]
19 |
20 | actions = [
21 | "s3:*",
22 | "sns:*",
23 | ]
24 | }
25 |
26 | statement {
27 | sid = "AllowInvokingLambdas"
28 | effect = "Allow"
29 | resources = ["arn:aws:lambda:*:*:function:*"]
30 | actions = ["lambda:InvokeFunction"]
31 | }
32 |
33 | statement {
34 | sid = "AllowCreatingLogGroups"
35 | effect = "Allow"
36 | resources = ["arn:aws:logs:*:*:*"]
37 | actions = ["logs:CreateLogGroup"]
38 | }
39 |
40 | statement {
41 | sid = "AllowWritingLogs"
42 | effect = "Allow"
43 | resources = ["arn:aws:logs:*:*:log-group:/aws/lambda/*:*"]
44 |
45 | actions = [
46 | "logs:CreateLogStream",
47 | "logs:PutLogEvents",
48 | ]
49 | }
50 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.dynamo
File: /04-serverless-app/terraform/iam.tf:69-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
69 | data "aws_iam_policy_document" "dynamo" {
70 | statement {
71 | sid = "AllowDynamoPermissions"
72 | effect = "Allow"
73 | resources = ["*"]
74 |
75 | actions = ["dynamodb:*"]
76 | }
77 |
78 | statement {
79 | sid = "AllowInvokingLambdas"
80 | effect = "Allow"
81 | resources = ["arn:aws:lambda:*:*:function:*"]
82 | actions = ["lambda:InvokeFunction"]
83 | }
84 |
85 | statement {
86 | sid = "AllowCreatingLogGroups"
87 | effect = "Allow"
88 | resources = ["arn:aws:logs:*:*:*"]
89 | actions = ["logs:CreateLogGroup"]
90 | }
91 |
92 | statement {
93 | sid = "AllowWritingLogs"
94 | effect = "Allow"
95 | resources = ["arn:aws:logs:*:*:log-group:/aws/lambda/*:*"]
96 |
97 | actions = [
98 | "logs:CreateLogStream",
99 | "logs:PutLogEvents",
100 | ]
101 | }
102 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.dynamo
File: /04-serverless-app/terraform/iam.tf:69-102
69 | data "aws_iam_policy_document" "dynamo" {
70 | statement {
71 | sid = "AllowDynamoPermissions"
72 | effect = "Allow"
73 | resources = ["*"]
74 |
75 | actions = ["dynamodb:*"]
76 | }
77 |
78 | statement {
79 | sid = "AllowInvokingLambdas"
80 | effect = "Allow"
81 | resources = ["arn:aws:lambda:*:*:function:*"]
82 | actions = ["lambda:InvokeFunction"]
83 | }
84 |
85 | statement {
86 | sid = "AllowCreatingLogGroups"
87 | effect = "Allow"
88 | resources = ["arn:aws:logs:*:*:*"]
89 | actions = ["logs:CreateLogGroup"]
90 | }
91 |
92 | statement {
93 | sid = "AllowWritingLogs"
94 | effect = "Allow"
95 | resources = ["arn:aws:logs:*:*:log-group:/aws/lambda/*:*"]
96 |
97 | actions = [
98 | "logs:CreateLogStream",
99 | "logs:PutLogEvents",
100 | ]
101 | }
102 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.s3
File: /04-serverless-app/terraform/lambda.tf:27-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
27 | resource "aws_lambda_function" "s3" {
28 | function_name = "s3"
29 | handler = "index.handler"
30 | role = aws_iam_role.s3.arn
31 | runtime = "nodejs14.x"
32 |
33 | filename = data.archive_file.s3.output_path
34 | source_code_hash = data.archive_file.s3.output_base64sha256
35 |
36 | layers = [aws_lambda_layer_version.joi.arn]
37 |
38 | environment {
39 | variables = {
40 | TOPIC_ARN = aws_sns_topic.this.arn
41 | }
42 | }
43 |
44 | tags = local.common_tags
45 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.s3
File: /04-serverless-app/terraform/lambda.tf:27-45
27 | resource "aws_lambda_function" "s3" {
28 | function_name = "s3"
29 | handler = "index.handler"
30 | role = aws_iam_role.s3.arn
31 | runtime = "nodejs14.x"
32 |
33 | filename = data.archive_file.s3.output_path
34 | source_code_hash = data.archive_file.s3.output_base64sha256
35 |
36 | layers = [aws_lambda_layer_version.joi.arn]
37 |
38 | environment {
39 | variables = {
40 | TOPIC_ARN = aws_sns_topic.this.arn
41 | }
42 | }
43 |
44 | tags = local.common_tags
45 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.s3
File: /04-serverless-app/terraform/lambda.tf:27-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
27 | resource "aws_lambda_function" "s3" {
28 | function_name = "s3"
29 | handler = "index.handler"
30 | role = aws_iam_role.s3.arn
31 | runtime = "nodejs14.x"
32 |
33 | filename = data.archive_file.s3.output_path
34 | source_code_hash = data.archive_file.s3.output_base64sha256
35 |
36 | layers = [aws_lambda_layer_version.joi.arn]
37 |
38 | environment {
39 | variables = {
40 | TOPIC_ARN = aws_sns_topic.this.arn
41 | }
42 | }
43 |
44 | tags = local.common_tags
45 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.s3
File: /04-serverless-app/terraform/lambda.tf:27-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
27 | resource "aws_lambda_function" "s3" {
28 | function_name = "s3"
29 | handler = "index.handler"
30 | role = aws_iam_role.s3.arn
31 | runtime = "nodejs14.x"
32 |
33 | filename = data.archive_file.s3.output_path
34 | source_code_hash = data.archive_file.s3.output_base64sha256
35 |
36 | layers = [aws_lambda_layer_version.joi.arn]
37 |
38 | environment {
39 | variables = {
40 | TOPIC_ARN = aws_sns_topic.this.arn
41 | }
42 | }
43 |
44 | tags = local.common_tags
45 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.s3
File: /04-serverless-app/terraform/lambda.tf:27-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
27 | resource "aws_lambda_function" "s3" {
28 | function_name = "s3"
29 | handler = "index.handler"
30 | role = aws_iam_role.s3.arn
31 | runtime = "nodejs14.x"
32 |
33 | filename = data.archive_file.s3.output_path
34 | source_code_hash = data.archive_file.s3.output_base64sha256
35 |
36 | layers = [aws_lambda_layer_version.joi.arn]
37 |
38 | environment {
39 | variables = {
40 | TOPIC_ARN = aws_sns_topic.this.arn
41 | }
42 | }
43 |
44 | tags = local.common_tags
45 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.s3
File: /04-serverless-app/terraform/lambda.tf:27-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
27 | resource "aws_lambda_function" "s3" {
28 | function_name = "s3"
29 | handler = "index.handler"
30 | role = aws_iam_role.s3.arn
31 | runtime = "nodejs14.x"
32 |
33 | filename = data.archive_file.s3.output_path
34 | source_code_hash = data.archive_file.s3.output_base64sha256
35 |
36 | layers = [aws_lambda_layer_version.joi.arn]
37 |
38 | environment {
39 | variables = {
40 | TOPIC_ARN = aws_sns_topic.this.arn
41 | }
42 | }
43 |
44 | tags = local.common_tags
45 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.dynamo
File: /04-serverless-app/terraform/lambda.tf:61-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
61 | resource "aws_lambda_function" "dynamo" {
62 | function_name = "dynamo"
63 | handler = "index.handler"
64 | role = aws_iam_role.dynamo.arn
65 | runtime = "nodejs14.x"
66 |
67 | filename = data.archive_file.dynamo.output_path
68 | source_code_hash = data.archive_file.dynamo.output_base64sha256
69 |
70 | timeout = 30
71 | memory_size = 128
72 |
73 | environment {
74 | variables = {
75 | TABLE = aws_dynamodb_table.this.name
76 | }
77 | }
78 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.dynamo
File: /04-serverless-app/terraform/lambda.tf:61-78
61 | resource "aws_lambda_function" "dynamo" {
62 | function_name = "dynamo"
63 | handler = "index.handler"
64 | role = aws_iam_role.dynamo.arn
65 | runtime = "nodejs14.x"
66 |
67 | filename = data.archive_file.dynamo.output_path
68 | source_code_hash = data.archive_file.dynamo.output_base64sha256
69 |
70 | timeout = 30
71 | memory_size = 128
72 |
73 | environment {
74 | variables = {
75 | TABLE = aws_dynamodb_table.this.name
76 | }
77 | }
78 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.dynamo
File: /04-serverless-app/terraform/lambda.tf:61-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
61 | resource "aws_lambda_function" "dynamo" {
62 | function_name = "dynamo"
63 | handler = "index.handler"
64 | role = aws_iam_role.dynamo.arn
65 | runtime = "nodejs14.x"
66 |
67 | filename = data.archive_file.dynamo.output_path
68 | source_code_hash = data.archive_file.dynamo.output_base64sha256
69 |
70 | timeout = 30
71 | memory_size = 128
72 |
73 | environment {
74 | variables = {
75 | TABLE = aws_dynamodb_table.this.name
76 | }
77 | }
78 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.dynamo
File: /04-serverless-app/terraform/lambda.tf:61-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
61 | resource "aws_lambda_function" "dynamo" {
62 | function_name = "dynamo"
63 | handler = "index.handler"
64 | role = aws_iam_role.dynamo.arn
65 | runtime = "nodejs14.x"
66 |
67 | filename = data.archive_file.dynamo.output_path
68 | source_code_hash = data.archive_file.dynamo.output_base64sha256
69 |
70 | timeout = 30
71 | memory_size = 128
72 |
73 | environment {
74 | variables = {
75 | TABLE = aws_dynamodb_table.this.name
76 | }
77 | }
78 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.dynamo
File: /04-serverless-app/terraform/lambda.tf:61-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
61 | resource "aws_lambda_function" "dynamo" {
62 | function_name = "dynamo"
63 | handler = "index.handler"
64 | role = aws_iam_role.dynamo.arn
65 | runtime = "nodejs14.x"
66 |
67 | filename = data.archive_file.dynamo.output_path
68 | source_code_hash = data.archive_file.dynamo.output_base64sha256
69 |
70 | timeout = 30
71 | memory_size = 128
72 |
73 | environment {
74 | variables = {
75 | TABLE = aws_dynamodb_table.this.name
76 | }
77 | }
78 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.dynamo
File: /04-serverless-app/terraform/lambda.tf:61-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
61 | resource "aws_lambda_function" "dynamo" {
62 | function_name = "dynamo"
63 | handler = "index.handler"
64 | role = aws_iam_role.dynamo.arn
65 | runtime = "nodejs14.x"
66 |
67 | filename = data.archive_file.dynamo.output_path
68 | source_code_hash = data.archive_file.dynamo.output_base64sha256
69 |
70 | timeout = 30
71 | memory_size = 128
72 |
73 | environment {
74 | variables = {
75 | TABLE = aws_dynamodb_table.this.name
76 | }
77 | }
78 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.this
File: /04-serverless-app/terraform/sns.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
1 | resource "aws_sns_topic" "this" {
2 | name = var.service_name
3 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.this
File: /05-autoscaling-app/alb.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
1 | resource "aws_lb" "this" {
2 | name = "Terraform-ALB"
3 | security_groups = [aws_security_group.alb.id]
4 | subnets = [aws_subnet.this["pub_a"].id, aws_subnet.this["pub_b"].id]
5 |
6 | tags = merge(local.common_tags, { Name = "Terraform ALB" })
7 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.this
File: /05-autoscaling-app/alb.tf:1-7
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
1 | resource "aws_lb" "this" {
2 | name = "Terraform-ALB"
3 | security_groups = [aws_security_group.alb.id]
4 | subnets = [aws_subnet.this["pub_a"].id, aws_subnet.this["pub_b"].id]
5 |
6 | tags = merge(local.common_tags, { Name = "Terraform ALB" })
7 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.this
File: /05-autoscaling-app/alb.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
1 | resource "aws_lb" "this" {
2 | name = "Terraform-ALB"
3 | security_groups = [aws_security_group.alb.id]
4 | subnets = [aws_subnet.this["pub_a"].id, aws_subnet.this["pub_b"].id]
5 |
6 | tags = merge(local.common_tags, { Name = "Terraform ALB" })
7 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.this
File: /05-autoscaling-app/alb.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
21 | resource "aws_lb_listener" "this" {
22 | load_balancer_arn = aws_lb.this.arn
23 | port = 80
24 | protocol = "HTTP"
25 |
26 | default_action {
27 | type = "forward"
28 | target_group_arn = aws_lb_target_group.this.arn
29 | }
30 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.this
File: /05-autoscaling-app/ec2.tf:12-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_launch_template" "this" {
13 | name_prefix = "terraform-"
14 | image_id = data.aws_ami.ubuntu.id
15 | instance_type = var.instance_type
16 | key_name = var.instance_key_name
17 | user_data = filebase64("ec2_setup.sh")
18 |
19 | monitoring {
20 | enabled = true
21 | }
22 |
23 | network_interfaces {
24 | associate_public_ip_address = true
25 | delete_on_termination = true
26 | security_groups = [aws_security_group.autoscaling.id]
27 | }
28 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_launch_template.this
File: /05-autoscaling-app/ec2.tf:12-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
12 | resource "aws_launch_template" "this" {
13 | name_prefix = "terraform-"
14 | image_id = data.aws_ami.ubuntu.id
15 | instance_type = var.instance_type
16 | key_name = var.instance_key_name
17 | user_data = filebase64("ec2_setup.sh")
18 |
19 | monitoring {
20 | enabled = true
21 | }
22 |
23 | network_interfaces {
24 | associate_public_ip_address = true
25 | delete_on_termination = true
26 | security_groups = [aws_security_group.autoscaling.id]
27 | }
28 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.this
File: /05-autoscaling-app/ec2.tf:30-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
30 | resource "aws_autoscaling_group" "this" {
31 | name = "terraform-autoscaling"
32 | vpc_zone_identifier = [aws_subnet.this["pub_a"].id, aws_subnet.this["pub_b"].id]
33 | max_size = 5
34 | min_size = 2
35 | health_check_grace_period = 240
36 | health_check_type = "ELB"
37 | force_delete = true
38 | target_group_arns = [aws_lb_target_group.this.id]
39 |
40 | launch_template {
41 | id = aws_launch_template.this.id
42 | version = aws_launch_template.this.latest_version
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.jenkins
File: /05-autoscaling-app/ec2.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
64 | resource "aws_instance" "jenkins" {
65 | ami = data.aws_ami.ubuntu.id
66 | instance_type = var.instance_type
67 |
68 | vpc_security_group_ids = [aws_security_group.jenkins.id]
69 | subnet_id = aws_subnet.this["pvt_b"].id
70 | availability_zone = "${var.aws_region}b"
71 |
72 | tags = merge(local.common_tags, { Name = "Jenkins Machine" })
73 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.jenkins
File: /05-autoscaling-app/ec2.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
64 | resource "aws_instance" "jenkins" {
65 | ami = data.aws_ami.ubuntu.id
66 | instance_type = var.instance_type
67 |
68 | vpc_security_group_ids = [aws_security_group.jenkins.id]
69 | subnet_id = aws_subnet.this["pvt_b"].id
70 | availability_zone = "${var.aws_region}b"
71 |
72 | tags = merge(local.common_tags, { Name = "Jenkins Machine" })
73 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.jenkins
File: /05-autoscaling-app/ec2.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
64 | resource "aws_instance" "jenkins" {
65 | ami = data.aws_ami.ubuntu.id
66 | instance_type = var.instance_type
67 |
68 | vpc_security_group_ids = [aws_security_group.jenkins.id]
69 | subnet_id = aws_subnet.this["pvt_b"].id
70 | availability_zone = "${var.aws_region}b"
71 |
72 | tags = merge(local.common_tags, { Name = "Jenkins Machine" })
73 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.jenkins
File: /05-autoscaling-app/ec2.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
64 | resource "aws_instance" "jenkins" {
65 | ami = data.aws_ami.ubuntu.id
66 | instance_type = var.instance_type
67 |
68 | vpc_security_group_ids = [aws_security_group.jenkins.id]
69 | subnet_id = aws_subnet.this["pvt_b"].id
70 | availability_zone = "${var.aws_region}b"
71 |
72 | tags = merge(local.common_tags, { Name = "Jenkins Machine" })
73 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.web
File: /05-autoscaling-app/security_group.tf:1-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports.html
1 | resource "aws_security_group" "web" {
2 | name = "Web"
3 | description = "Allow public inbound traffic"
4 | vpc_id = aws_vpc.this.id
5 |
6 | ingress {
7 | from_port = 80 # http
8 | to_port = 80
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | ingress {
14 | from_port = 443 # https
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | ingress {
21 | from_port = -1
22 | to_port = -1
23 | protocol = "icmp"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 |
27 | egress {
28 | from_port = 3306
29 | to_port = 3306
30 | protocol = "tcp"
31 | cidr_blocks = [aws_subnet.this["pvt_a"].cidr_block]
32 | }
33 |
34 | tags = merge(local.common_tags, { Name = "Web Server" })
35 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web
File: /05-autoscaling-app/security_group.tf:1-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "web" {
2 | name = "Web"
3 | description = "Allow public inbound traffic"
4 | vpc_id = aws_vpc.this.id
5 |
6 | ingress {
7 | from_port = 80 # http
8 | to_port = 80
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | ingress {
14 | from_port = 443 # https
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | ingress {
21 | from_port = -1
22 | to_port = -1
23 | protocol = "icmp"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 |
27 | egress {
28 | from_port = 3306
29 | to_port = 3306
30 | protocol = "tcp"
31 | cidr_blocks = [aws_subnet.this["pvt_a"].cidr_block]
32 | }
33 |
34 | tags = merge(local.common_tags, { Name = "Web Server" })
35 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web
File: /05-autoscaling-app/security_group.tf:1-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
1 | resource "aws_security_group" "web" {
2 | name = "Web"
3 | description = "Allow public inbound traffic"
4 | vpc_id = aws_vpc.this.id
5 |
6 | ingress {
7 | from_port = 80 # http
8 | to_port = 80
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | ingress {
14 | from_port = 443 # https
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | ingress {
21 | from_port = -1
22 | to_port = -1
23 | protocol = "icmp"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 |
27 | egress {
28 | from_port = 3306
29 | to_port = 3306
30 | protocol = "tcp"
31 | cidr_blocks = [aws_subnet.this["pvt_a"].cidr_block]
32 | }
33 |
34 | tags = merge(local.common_tags, { Name = "Web Server" })
35 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.db
File: /05-autoscaling-app/security_group.tf:37-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
37 | resource "aws_security_group" "db" {
38 | name = "DB"
39 | description = "Allow incoming database connections"
40 | vpc_id = aws_vpc.this.id
41 |
42 | ingress {
43 | from_port = 3306
44 | to_port = 3306
45 | protocol = "tcp"
46 | security_groups = [aws_security_group.web.id]
47 | }
48 |
49 | ingress {
50 | from_port = 22
51 | to_port = 22
52 | protocol = "tcp"
53 | cidr_blocks = [aws_vpc.this.cidr_block]
54 | }
55 |
56 | ingress {
57 | from_port = -1
58 | to_port = -1
59 | protocol = "icmp"
60 | cidr_blocks = [aws_vpc.this.cidr_block]
61 | }
62 |
63 | egress {
64 | from_port = 80
65 | to_port = 80
66 | protocol = "tcp"
67 | cidr_blocks = ["0.0.0.0/0"]
68 | }
69 |
70 | egress {
71 | from_port = 443
72 | to_port = 443
73 | protocol = "tcp"
74 | cidr_blocks = ["0.0.0.0/0"]
75 | }
76 |
77 | tags = merge(local.common_tags, { Name = "Database MySQL" })
78 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /05-autoscaling-app/security_group.tf:80-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
80 | resource "aws_security_group" "alb" {
81 | name = "ALB-SG"
82 | description = "Load Balancer SG"
83 | vpc_id = aws_vpc.this.id
84 |
85 | ingress {
86 | from_port = 80
87 | to_port = 80
88 | protocol = "tcp"
89 | cidr_blocks = ["0.0.0.0/0"]
90 | }
91 |
92 | egress {
93 | from_port = 0
94 | to_port = 0
95 | protocol = "-1"
96 | cidr_blocks = ["0.0.0.0/0"]
97 | }
98 |
99 | tags = merge(local.common_tags, { Name = "Load Balancer" })
100 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.alb
File: /05-autoscaling-app/security_group.tf:80-100
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
80 | resource "aws_security_group" "alb" {
81 | name = "ALB-SG"
82 | description = "Load Balancer SG"
83 | vpc_id = aws_vpc.this.id
84 |
85 | ingress {
86 | from_port = 80
87 | to_port = 80
88 | protocol = "tcp"
89 | cidr_blocks = ["0.0.0.0/0"]
90 | }
91 |
92 | egress {
93 | from_port = 0
94 | to_port = 0
95 | protocol = "-1"
96 | cidr_blocks = ["0.0.0.0/0"]
97 | }
98 |
99 | tags = merge(local.common_tags, { Name = "Load Balancer" })
100 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.autoscaling
File: /05-autoscaling-app/security_group.tf:102-129
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
102 | resource "aws_security_group" "autoscaling" {
103 | name = "autoscaling"
104 | description = "Security group that allows ssh/http and all egress traffic"
105 | vpc_id = aws_vpc.this.id
106 |
107 | ingress {
108 | from_port = 22
109 | to_port = 22
110 | protocol = "tcp"
111 | cidr_blocks = ["0.0.0.0/0"]
112 | }
113 |
114 | ingress {
115 | from_port = 80
116 | to_port = 80
117 | protocol = "tcp"
118 | security_groups = [aws_security_group.alb.id]
119 | }
120 |
121 | egress {
122 | from_port = 0
123 | to_port = 0
124 | protocol = "-1"
125 | cidr_blocks = ["0.0.0.0/0"]
126 | }
127 |
128 | tags = merge(local.common_tags, { Name = "Auto Scaling" })
129 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.autoscaling
File: /05-autoscaling-app/security_group.tf:102-129
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
102 | resource "aws_security_group" "autoscaling" {
103 | name = "autoscaling"
104 | description = "Security group that allows ssh/http and all egress traffic"
105 | vpc_id = aws_vpc.this.id
106 |
107 | ingress {
108 | from_port = 22
109 | to_port = 22
110 | protocol = "tcp"
111 | cidr_blocks = ["0.0.0.0/0"]
112 | }
113 |
114 | ingress {
115 | from_port = 80
116 | to_port = 80
117 | protocol = "tcp"
118 | security_groups = [aws_security_group.alb.id]
119 | }
120 |
121 | egress {
122 | from_port = 0
123 | to_port = 0
124 | protocol = "-1"
125 | cidr_blocks = ["0.0.0.0/0"]
126 | }
127 |
128 | tags = merge(local.common_tags, { Name = "Auto Scaling" })
129 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.jenkins
File: /05-autoscaling-app/security_group.tf:131-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
131 | resource "aws_security_group" "jenkins" {
132 | name = "Jenkins"
133 | description = "Allow incoming connections to Jenkins machine"
134 | vpc_id = aws_vpc.this.id
135 |
136 | ingress {
137 | from_port = 22
138 | to_port = 22
139 | protocol = "tcp"
140 | cidr_blocks = [aws_vpc.this.cidr_block]
141 | }
142 |
143 | ingress {
144 | from_port = -1
145 | to_port = -1
146 | protocol = "icmp"
147 | cidr_blocks = [aws_vpc.this.cidr_block]
148 | }
149 |
150 | egress {
151 | from_port = 22
152 | to_port = 22
153 | protocol = "tcp"
154 | security_groups = [aws_security_group.web.id]
155 | }
156 |
157 | tags = merge(local.common_tags, { Name = "Jenkins Machine" })
158 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/01-primeiro-script/main.tf:19-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
19 | resource "aws_s3_bucket" "my-test-bucket" {
20 | bucket = "my-tf-test-bucket-123123455745642342342"
21 | acl = "private"
22 |
23 | tags = {
24 | Name = "My bucket"
25 | Environment = "Dev"
26 | Managedby = "Terraform"
27 | }
28 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/02-alterando-destruindo/main.tf:23-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
23 | resource "aws_s3_bucket" "my-test-bucket" {
24 | bucket = "my-tf-test-bucket-123123455745642342342"
25 | acl = "private"
26 |
27 | tags = {
28 | Name = "My first Terraform bucket"
29 | Environment = "Dev"
30 | ManagedBy = "Terraform"
31 | Owner = "Cleber Gasparoto"
32 | CreatedAt = "2021-01-14"
33 | }
34 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = "${random_pet.bucket.id}-${var.environment}"
3 | tags = local.common_tags
4 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.manual
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "manual" {
7 | bucket = "meubucketcriadonoconsoledaaws123123"
8 |
9 | tags = {
10 | Criado = "14/01/2021"
11 | Importado = "23/01/2021"
12 | ManagedBy = "Terraform"
13 | }
14 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.remote-state
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:19-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
19 | resource "aws_s3_bucket" "remote-state" {
20 | bucket = "tfstate-${data.aws_caller_identity.current.account_id}"
21 |
22 | versioning {
23 | enabled = true
24 | }
25 |
26 | tags = {
27 | Description = "Stores terraform remote state files"
28 | ManagedBy = "Terraform"
29 | Owner = "Cleber Gasparoto"
30 | CreatedAt = "2021-01-24"
31 | }
32 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "${random_pet.bucket.id}-${var.env}"
7 | tags = local.common_tags
8 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:5-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "my-bucket-${random_pet.this.id}"
7 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.bucket.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.website.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.todo
File: /04-serverless-app/terraform/s3.tf:3-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
3 | resource "aws_s3_bucket" "todo" {
4 | bucket = "${var.service_domain}-${random_pet.bucket.id}"
5 | tags = local.common_tags
6 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/01-primeiro-script/main.tf:19-28
19 | resource "aws_s3_bucket" "my-test-bucket" {
20 | bucket = "my-tf-test-bucket-123123455745642342342"
21 | acl = "private"
22 |
23 | tags = {
24 | Name = "My bucket"
25 | Environment = "Dev"
26 | Managedby = "Terraform"
27 | }
28 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/02-alterando-destruindo/main.tf:23-34
23 | resource "aws_s3_bucket" "my-test-bucket" {
24 | bucket = "my-tf-test-bucket-123123455745642342342"
25 | acl = "private"
26 |
27 | tags = {
28 | Name = "My first Terraform bucket"
29 | Environment = "Dev"
30 | ManagedBy = "Terraform"
31 | Owner = "Cleber Gasparoto"
32 | CreatedAt = "2021-01-14"
33 | }
34 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:1-4
1 | resource "aws_s3_bucket" "this" {
2 | bucket = "${random_pet.bucket.id}-${var.environment}"
3 | tags = local.common_tags
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.manual
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:6-14
6 | resource "aws_s3_bucket" "manual" {
7 | bucket = "meubucketcriadonoconsoledaaws123123"
8 |
9 | tags = {
10 | Criado = "14/01/2021"
11 | Importado = "23/01/2021"
12 | ManagedBy = "Terraform"
13 | }
14 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.remote-state
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:19-32
19 | resource "aws_s3_bucket" "remote-state" {
20 | bucket = "tfstate-${data.aws_caller_identity.current.account_id}"
21 |
22 | versioning {
23 | enabled = true
24 | }
25 |
26 | tags = {
27 | Description = "Stores terraform remote state files"
28 | ManagedBy = "Terraform"
29 | Owner = "Cleber Gasparoto"
30 | CreatedAt = "2021-01-24"
31 | }
32 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:5-8
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "${random_pet.bucket.id}-${var.env}"
7 | tags = local.common_tags
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:5-7
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "my-bucket-${random_pet.this.id}"
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.bucket.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.website.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.lock-table
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:34-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
34 | resource "aws_dynamodb_table" "lock-table" {
35 | name = "tflock-${aws_s3_bucket.remote-state.bucket}"
36 | read_capacity = 5
37 | write_capacity = 5
38 | hash_key = "LockID"
39 |
40 | attribute {
41 | name = "LockID"
42 | type = "S"
43 | }
44 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.this
File: /04-serverless-app/terraform/dynamo.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
1 | resource "aws_dynamodb_table" "this" {
2 | hash_key = "TodoId"
3 | name = var.service_name
4 | read_capacity = 5
5 | write_capacity = 5
6 |
7 | attribute {
8 | name = "TodoId"
9 | type = "S"
10 | }
11 |
12 | tags = local.common_tags
13 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.web
File: /05-autoscaling-app/rds.tf:8-23
8 | resource "aws_db_instance" "web" {
9 | allocated_storage = 10
10 | storage_type = "gp2"
11 | engine = "mysql"
12 | engine_version = "5.7"
13 | instance_class = "db.t2.micro"
14 | name = "mydb"
15 | username = "foo"
16 | password = "foobarbaz"
17 | parameter_group_name = "default.mysql5.7"
18 | availability_zone = "${var.aws_region}a"
19 | skip_final_snapshot = true
20 |
21 | db_subnet_group_name = aws_db_subnet_group.default.id
22 | vpc_security_group_ids = [aws_security_group.db.id]
23 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.this
File: /05-autoscaling-app/vpc.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = "192.168.0.0/16"
3 | tags = merge(local.common_tags, { Name = "Terraform VPC " })
4 | }
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.this
File: /03-site-estatico/terraform/cloudfront.tf:5-67
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.this
File: /05-autoscaling-app/alb.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
21 | resource "aws_lb_listener" "this" {
22 | load_balancer_arn = aws_lb.this.arn
23 | port = 80
24 | protocol = "HTTP"
25 |
26 | default_action {
27 | type = "forward"
28 | target_group_arn = aws_lb_target_group.this.arn
29 | }
30 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.this
File: /05-autoscaling-app/alb.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
1 | resource "aws_lb" "this" {
2 | name = "Terraform-ALB"
3 | security_groups = [aws_security_group.alb.id]
4 | subnets = [aws_subnet.this["pub_a"].id, aws_subnet.this["pub_b"].id]
5 |
6 | tags = merge(local.common_tags, { Name = "Terraform ALB" })
7 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.this
File: /05-autoscaling-app/alb.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
1 | resource "aws_lb" "this" {
2 | name = "Terraform-ALB"
3 | security_groups = [aws_security_group.alb.id]
4 | subnets = [aws_subnet.this["pub_a"].id, aws_subnet.this["pub_b"].id]
5 |
6 | tags = merge(local.common_tags, { Name = "Terraform ALB" })
7 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/01-primeiro-script/main.tf:19-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
19 | resource "aws_s3_bucket" "my-test-bucket" {
20 | bucket = "my-tf-test-bucket-123123455745642342342"
21 | acl = "private"
22 |
23 | tags = {
24 | Name = "My bucket"
25 | Environment = "Dev"
26 | Managedby = "Terraform"
27 | }
28 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/02-alterando-destruindo/main.tf:23-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
23 | resource "aws_s3_bucket" "my-test-bucket" {
24 | bucket = "my-tf-test-bucket-123123455745642342342"
25 | acl = "private"
26 |
27 | tags = {
28 | Name = "My first Terraform bucket"
29 | Environment = "Dev"
30 | ManagedBy = "Terraform"
31 | Owner = "Cleber Gasparoto"
32 | CreatedAt = "2021-01-14"
33 | }
34 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = "${random_pet.bucket.id}-${var.environment}"
3 | tags = local.common_tags
4 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.manual
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "manual" {
7 | bucket = "meubucketcriadonoconsoledaaws123123"
8 |
9 | tags = {
10 | Criado = "14/01/2021"
11 | Importado = "23/01/2021"
12 | ManagedBy = "Terraform"
13 | }
14 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "${random_pet.bucket.id}-${var.env}"
7 | tags = local.common_tags
8 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:5-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "my-bucket-${random_pet.this.id}"
7 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.todo
File: /04-serverless-app/terraform/s3.tf:3-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
3 | resource "aws_s3_bucket" "todo" {
4 | bucket = "${var.service_domain}-${random_pet.bucket.id}"
5 | tags = local.common_tags
6 | }
Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access."
FAILED for resource: module.website.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-1-acl-read-permissions-everyone.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/01-primeiro-script/main.tf:19-28
19 | resource "aws_s3_bucket" "my-test-bucket" {
20 | bucket = "my-tf-test-bucket-123123455745642342342"
21 | acl = "private"
22 |
23 | tags = {
24 | Name = "My bucket"
25 | Environment = "Dev"
26 | Managedby = "Terraform"
27 | }
28 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/02-alterando-destruindo/main.tf:23-34
23 | resource "aws_s3_bucket" "my-test-bucket" {
24 | bucket = "my-tf-test-bucket-123123455745642342342"
25 | acl = "private"
26 |
27 | tags = {
28 | Name = "My first Terraform bucket"
29 | Environment = "Dev"
30 | ManagedBy = "Terraform"
31 | Owner = "Cleber Gasparoto"
32 | CreatedAt = "2021-01-14"
33 | }
34 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:1-4
1 | resource "aws_s3_bucket" "this" {
2 | bucket = "${random_pet.bucket.id}-${var.environment}"
3 | tags = local.common_tags
4 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.manual
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:6-14
6 | resource "aws_s3_bucket" "manual" {
7 | bucket = "meubucketcriadonoconsoledaaws123123"
8 |
9 | tags = {
10 | Criado = "14/01/2021"
11 | Importado = "23/01/2021"
12 | ManagedBy = "Terraform"
13 | }
14 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.remote-state
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:19-32
19 | resource "aws_s3_bucket" "remote-state" {
20 | bucket = "tfstate-${data.aws_caller_identity.current.account_id}"
21 |
22 | versioning {
23 | enabled = true
24 | }
25 |
26 | tags = {
27 | Description = "Stores terraform remote state files"
28 | ManagedBy = "Terraform"
29 | Owner = "Cleber Gasparoto"
30 | CreatedAt = "2021-01-24"
31 | }
32 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:5-8
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "${random_pet.bucket.id}-${var.env}"
7 | tags = local.common_tags
8 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:5-7
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "my-bucket-${random_pet.this.id}"
7 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.bucket.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.website.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.todo
File: /04-serverless-app/terraform/s3.tf:3-6
3 | resource "aws_s3_bucket" "todo" {
4 | bucket = "${var.service_domain}-${random_pet.bucket.id}"
5 | tags = local.common_tags
6 | }
Check: CKV2_AWS_53: "Ensure AWS API gateway request is validated"
FAILED for resource: aws_api_gateway_method.any
File: /04-serverless-app/terraform/api.tf:24-30
24 | resource "aws_api_gateway_method" "any" {
25 | rest_api_id = aws_api_gateway_rest_api.this.id
26 | resource_id = aws_api_gateway_resource.todos.id
27 | authorization = "COGNITO_USER_POOLS"
28 | http_method = "ANY"
29 | authorizer_id = aws_api_gateway_authorizer.this.id
30 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.this
File: /05-autoscaling-app/vpc.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = "192.168.0.0/16"
3 | tags = merge(local.common_tags, { Name = "Terraform VPC " })
4 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/01-primeiro-script/main.tf:19-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
19 | resource "aws_s3_bucket" "my-test-bucket" {
20 | bucket = "my-tf-test-bucket-123123455745642342342"
21 | acl = "private"
22 |
23 | tags = {
24 | Name = "My bucket"
25 | Environment = "Dev"
26 | Managedby = "Terraform"
27 | }
28 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/02-alterando-destruindo/main.tf:23-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
23 | resource "aws_s3_bucket" "my-test-bucket" {
24 | bucket = "my-tf-test-bucket-123123455745642342342"
25 | acl = "private"
26 |
27 | tags = {
28 | Name = "My first Terraform bucket"
29 | Environment = "Dev"
30 | ManagedBy = "Terraform"
31 | Owner = "Cleber Gasparoto"
32 | CreatedAt = "2021-01-14"
33 | }
34 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = "${random_pet.bucket.id}-${var.environment}"
3 | tags = local.common_tags
4 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.manual
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "manual" {
7 | bucket = "meubucketcriadonoconsoledaaws123123"
8 |
9 | tags = {
10 | Criado = "14/01/2021"
11 | Importado = "23/01/2021"
12 | ManagedBy = "Terraform"
13 | }
14 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.remote-state
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:19-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
19 | resource "aws_s3_bucket" "remote-state" {
20 | bucket = "tfstate-${data.aws_caller_identity.current.account_id}"
21 |
22 | versioning {
23 | enabled = true
24 | }
25 |
26 | tags = {
27 | Description = "Stores terraform remote state files"
28 | ManagedBy = "Terraform"
29 | Owner = "Cleber Gasparoto"
30 | CreatedAt = "2021-01-24"
31 | }
32 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "${random_pet.bucket.id}-${var.env}"
7 | tags = local.common_tags
8 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:5-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "my-bucket-${random_pet.this.id}"
7 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.bucket.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.website.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.todo
File: /04-serverless-app/terraform/s3.tf:3-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
3 | resource "aws_s3_bucket" "todo" {
4 | bucket = "${var.service_domain}-${random_pet.bucket.id}"
5 | tags = local.common_tags
6 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/01-primeiro-script/main.tf:19-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
19 | resource "aws_s3_bucket" "my-test-bucket" {
20 | bucket = "my-tf-test-bucket-123123455745642342342"
21 | acl = "private"
22 |
23 | tags = {
24 | Name = "My bucket"
25 | Environment = "Dev"
26 | Managedby = "Terraform"
27 | }
28 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/02-alterando-destruindo/main.tf:23-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
23 | resource "aws_s3_bucket" "my-test-bucket" {
24 | bucket = "my-tf-test-bucket-123123455745642342342"
25 | acl = "private"
26 |
27 | tags = {
28 | Name = "My first Terraform bucket"
29 | Environment = "Dev"
30 | ManagedBy = "Terraform"
31 | Owner = "Cleber Gasparoto"
32 | CreatedAt = "2021-01-14"
33 | }
34 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = "${random_pet.bucket.id}-${var.environment}"
3 | tags = local.common_tags
4 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.manual
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
6 | resource "aws_s3_bucket" "manual" {
7 | bucket = "meubucketcriadonoconsoledaaws123123"
8 |
9 | tags = {
10 | Criado = "14/01/2021"
11 | Importado = "23/01/2021"
12 | ManagedBy = "Terraform"
13 | }
14 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.remote-state
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:19-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
19 | resource "aws_s3_bucket" "remote-state" {
20 | bucket = "tfstate-${data.aws_caller_identity.current.account_id}"
21 |
22 | versioning {
23 | enabled = true
24 | }
25 |
26 | tags = {
27 | Description = "Stores terraform remote state files"
28 | ManagedBy = "Terraform"
29 | Owner = "Cleber Gasparoto"
30 | CreatedAt = "2021-01-24"
31 | }
32 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "${random_pet.bucket.id}-${var.env}"
7 | tags = local.common_tags
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:5-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "my-bucket-${random_pet.this.id}"
7 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.bucket.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.website.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.todo
File: /04-serverless-app/terraform/s3.tf:3-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
3 | resource "aws_s3_bucket" "todo" {
4 | bucket = "${var.service_domain}-${random_pet.bucket.id}"
5 | tags = local.common_tags
6 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/01-primeiro-script/main.tf:19-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
19 | resource "aws_s3_bucket" "my-test-bucket" {
20 | bucket = "my-tf-test-bucket-123123455745642342342"
21 | acl = "private"
22 |
23 | tags = {
24 | Name = "My bucket"
25 | Environment = "Dev"
26 | Managedby = "Terraform"
27 | }
28 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.my-test-bucket
File: /01-terraform-basico/02-alterando-destruindo/main.tf:23-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
23 | resource "aws_s3_bucket" "my-test-bucket" {
24 | bucket = "my-tf-test-bucket-123123455745642342342"
25 | acl = "private"
26 |
27 | tags = {
28 | Name = "My first Terraform bucket"
29 | Environment = "Dev"
30 | ManagedBy = "Terraform"
31 | Owner = "Cleber Gasparoto"
32 | CreatedAt = "2021-01-14"
33 | }
34 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.this
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = "${random_pet.bucket.id}-${var.environment}"
3 | tags = local.common_tags
4 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.manual
File: /01-terraform-basico/04-interpolacao-locals-outputs/s3.tf:6-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "manual" {
7 | bucket = "meubucketcriadonoconsoledaaws123123"
8 |
9 | tags = {
10 | Criado = "14/01/2021"
11 | Importado = "23/01/2021"
12 | ManagedBy = "Terraform"
13 | }
14 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.remote-state
File: /02-terraform-intermediario/01-remote-state/00-remote-state-bucket/main.tf:19-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
19 | resource "aws_s3_bucket" "remote-state" {
20 | bucket = "tfstate-${data.aws_caller_identity.current.account_id}"
21 |
22 | versioning {
23 | enabled = true
24 | }
25 |
26 | tags = {
27 | Description = "Stores terraform remote state files"
28 | ManagedBy = "Terraform"
29 | Owner = "Cleber Gasparoto"
30 | CreatedAt = "2021-01-24"
31 | }
32 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/02-builtin-functions/s3.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "${random_pet.bucket.id}-${var.env}"
7 | tags = local.common_tags
8 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.this
File: /02-terraform-intermediario/03-data-source/s3/s3.tf:5-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "this" {
6 | bucket = "my-bucket-${random_pet.this.id}"
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.bucket.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.website.aws_s3_bucket.this
File: /02-terraform-intermediario/05-modules/s3_module/main.tf:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "this" {
2 | bucket = var.name
3 | acl = var.acl
4 | policy = var.policy
5 | tags = var.tags
6 |
7 | dynamic "website" {
8 | for_each = length(keys(var.website)) == 0 ? [] : [var.website]
9 | content {
10 | index_document = lookup(website.value, "index_document", null)
11 | error_document = lookup(website.value, "error_document", null)
12 | redirect_all_requests_to = lookup(website.value, "redirect_all_requests_to", null)
13 | routing_rules = lookup(website.value, "routing_rules", null)
14 | }
15 | }
16 |
17 | dynamic "versioning" {
18 | for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]
19 | content {
20 | enabled = lookup(versioning.value, "enabled", null)
21 | mfa_delete = lookup(versioning.value, "mfa_delete", null)
22 | }
23 | }
24 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.todo
File: /04-serverless-app/terraform/s3.tf:3-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
3 | resource "aws_s3_bucket" "todo" {
4 | bucket = "${var.service_domain}-${random_pet.bucket.id}"
5 | tags = local.common_tags
6 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.this
File: /03-site-estatico/terraform/cloudfront.tf:5-67
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /01-terraform-basico/03-variaveis/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "web" {
18 | ami = var.instance_ami
19 | instance_type = var.instance_type
20 |
21 | tags = var.instance_tags
22 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/01-remote-state/01-usando-remote-state/ec2.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "web" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 |
5 | tags = {
6 | Name = "Remote State"
7 | Env = "dev"
8 | }
9 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.server
File: /02-terraform-intermediario/02-builtin-functions/ec2.tf:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "server" {
2 | count = local.instance_number <= 0 ? 0 : local.instance_number
3 |
4 | ami = var.instance_ami
5 | instance_type = lookup(var.instance_type, var.env)
6 |
7 | tags = merge(
8 | local.common_tags,
9 | {
10 | Project = "Curso AWS com Terraform"
11 | Env = format("%s", var.env)
12 | Name = format("Instance %d", count.index + 1)
13 | }
14 | )
15 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/03-data-source/ec2/ec2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "web" {
2 | ami = data.aws_ami.ubuntu.id
3 | instance_type = var.instance_type
4 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.this["ci_cd"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /02-terraform-intermediario/06-workspaces/main.tf:29-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
29 | resource "aws_instance" "web" {
30 | count = lookup(var.instance, local.env)["number"]
31 |
32 | ami = lookup(var.instance, local.env)["ami"]
33 | instance_type = lookup(var.instance, local.env)["type"]
34 |
35 | tags = {
36 | Name = "Minha máquina web ${local.env}"
37 | Env = local.env
38 | }
39 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.jenkins
File: /05-autoscaling-app/ec2.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
64 | resource "aws_instance" "jenkins" {
65 | ami = data.aws_ami.ubuntu.id
66 | instance_type = var.instance_type
67 |
68 | vpc_security_group_ids = [aws_security_group.jenkins.id]
69 | subnet_id = aws_subnet.this["pvt_b"].id
70 | availability_zone = "${var.aws_region}b"
71 |
72 | tags = merge(local.common_tags, { Name = "Jenkins Machine" })
73 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.this["web"]
File: /02-terraform-intermediario/04-foreach-for-splat/ec2.tf:12-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
12 | resource "aws_instance" "this" {
13 | for_each = {
14 | web = {
15 | name = "Web server"
16 | type = "t3.medium"
17 | }
18 | ci_cd = {
19 | name = "CI/CD server"
20 | type = "t3.micro"
21 | }
22 | }
23 |
24 | ami = data.aws_ami.ubuntu.id
25 | instance_type = lookup(each.value, "type", null)
26 |
27 | tags = {
28 | Project = "Curso AWS com Terraform"
29 | Name = "${each.key}: ${lookup(each.value, "name", null)}"
30 | Lesson = "Foreach, For, Splat"
31 | }
32 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools