Repository | cloudposse / terraform-aws-cloudtrail-cloudwatch-alarms |
Description | Terraform module for creating alarms for tracking important changes and occurrences from cloudtrail. |
Stars | 194 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:49,849 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:49,849 [MainThread ] [WARNI] Failed to download module cloudposse/kms-key/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:49,849 [MainThread ] [WARNI] Failed to download module cloudposse/cloudtrail-s3-bucket/aws:0.26.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:49,849 [MainThread ] [WARNI] Failed to download module cloudposse/config/yaml:0.7.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:49,849 [MainThread ] [WARNI] Failed to download module cloudposse/cloudtrail/aws:0.17.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 43, Failed checks: 2, Skipped checks: 0
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.default
File: /examples/complete/main.tf:18-22
18 | resource "aws_cloudwatch_log_group" "default" {
19 | name = module.this.id
20 | tags = module.this.tags
21 | retention_in_days = 90
22 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.default
File: /examples/complete/main.tf:18-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
18 | resource "aws_cloudwatch_log_group" "default" {
19 | name = module.this.id
20 | tags = module.this.tags
21 | retention_in_days = 90
22 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools