Repository | cloudposse / terraform-aws-ecs-web-app |
Description | Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, ALB integration, and much more. |
Stars | 211 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:25,417 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,417 [MainThread ] [WARNI] Failed to download module cloudposse/ecr/aws:0.34.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,417 [MainThread ] [WARNI] Failed to download module cloudposse/alb-ingress/aws:0.25.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,418 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-container-definition/aws:0.58.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,418 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-alb-service-task/aws:0.64.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,418 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-codepipeline/aws:0.30.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,418 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-cloudwatch-autoscaling/aws:0.7.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,418 [MainThread ] [WARNI] Failed to download module cloudposse/ecs-cloudwatch-sns-alarms/aws:0.12.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,418 [MainThread ] [WARNI] Failed to download module cloudposse/alb-target-group-cloudwatch-sns-alarms/aws:0.17.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,418 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:0.18.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,419 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:0.32.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,420 [MainThread ] [WARNI] Failed to download module cloudposse/alb/aws:0.23.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,420 [MainThread ] [WARNI] Failed to download module cloudposse/vpc/aws:0.18.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,420 [MainThread ] [WARNI] Failed to download module cloudposse/dynamic-subnets/aws:0.34.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:25,420 [MainThread ] [WARNI] Failed to download module cloudposse/alb/aws:0.27.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 18, Failed checks: 10, Skipped checks: 0
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.app
File: /examples/with_cognito_authentication/main.tf:63-68
63 | resource "aws_cloudwatch_log_group" "app" {
64 | #bridgecrew:skip=BC_AWS_LOGGING_21:Skipping `Ensure CloudWatch logs are encrypted at rest using KMS CMKs` in example/test modules
65 | name = module.this.id
66 | tags = module.this.tags
67 | retention_in_days = 90
68 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.app
File: /examples/with_cognito_authentication/main.tf:63-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
63 | resource "aws_cloudwatch_log_group" "app" {
64 | #bridgecrew:skip=BC_AWS_LOGGING_21:Skipping `Ensure CloudWatch logs are encrypted at rest using KMS CMKs` in example/test modules
65 | name = module.this.id
66 | tags = module.this.tags
67 | retention_in_days = 90
68 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.app
File: /examples/with_google_oidc_authentication/main.tf:62-67
62 | resource "aws_cloudwatch_log_group" "app" {
63 | #bridgecrew:skip=BC_AWS_LOGGING_21:Skipping `Ensure CloudWatch logs are encrypted at rest using KMS CMKs` in example/test modules
64 | name = module.this.id
65 | tags = module.this.tags
66 | retention_in_days = 90
67 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.app
File: /examples/with_google_oidc_authentication/main.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
62 | resource "aws_cloudwatch_log_group" "app" {
63 | #bridgecrew:skip=BC_AWS_LOGGING_21:Skipping `Ensure CloudWatch logs are encrypted at rest using KMS CMKs` in example/test modules
64 | name = module.this.id
65 | tags = module.this.tags
66 | retention_in_days = 90
67 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.app
File: /examples/without_authentication/main.tf:62-67
62 | resource "aws_cloudwatch_log_group" "app" {
63 | #bridgecrew:skip=BC_AWS_LOGGING_21:Skipping `Ensure CloudWatch logs are encrypted at rest using KMS CMKs` in example/test modules
64 | name = module.this.id
65 | tags = module.this.tags
66 | retention_in_days = 90
67 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.app
File: /examples/without_authentication/main.tf:62-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
62 | resource "aws_cloudwatch_log_group" "app" {
63 | #bridgecrew:skip=BC_AWS_LOGGING_21:Skipping `Ensure CloudWatch logs are encrypted at rest using KMS CMKs` in example/test modules
64 | name = module.this.id
65 | tags = module.this.tags
66 | retention_in_days = 90
67 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.ecs_web_app.aws_cloudwatch_log_group.app[0]
File: /main.tf:15-21
Calling File: /examples/complete/main.tf:62-181
15 | resource "aws_cloudwatch_log_group" "app" {
16 | count = module.this.enabled && var.cloudwatch_log_group_enabled ? 1 : 0
17 |
18 | name = module.this.id
19 | tags = module.this.tags
20 | retention_in_days = var.log_retention_in_days
21 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: module.ecs_web_app.aws_cloudwatch_log_group.app[0]
File: /main.tf:15-21
Calling File: /examples/complete/main.tf:62-181
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
15 | resource "aws_cloudwatch_log_group" "app" {
16 | count = module.this.enabled && var.cloudwatch_log_group_enabled ? 1 : 0
17 |
18 | name = module.this.id
19 | tags = module.this.tags
20 | retention_in_days = var.log_retention_in_days
21 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.web_app.aws_cloudwatch_log_group.app[0]
File: /main.tf:15-21
Calling File: /examples/without_authentication/main.tf:69-136
15 | resource "aws_cloudwatch_log_group" "app" {
16 | count = module.this.enabled && var.cloudwatch_log_group_enabled ? 1 : 0
17 |
18 | name = module.this.id
19 | tags = module.this.tags
20 | retention_in_days = var.log_retention_in_days
21 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: module.web_app.aws_cloudwatch_log_group.app[0]
File: /main.tf:15-21
Calling File: /examples/without_authentication/main.tf:69-136
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
15 | resource "aws_cloudwatch_log_group" "app" {
16 | count = module.this.enabled && var.cloudwatch_log_group_enabled ? 1 : 0
17 |
18 | name = module.this.id
19 | tags = module.this.tags
20 | retention_in_days = var.log_retention_in_days
21 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools