Repository | cloudposse / terraform-aws-rds-cloudwatch-sns-alarms |
Description | Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS topic |
Stars | 107 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 15:04:22,807 [MainThread ] [WARNI] Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 22, Failed checks: 11, Skipped checks: 0
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: module.rds_alarms.aws_sns_topic.default
File: /main.tf:14-17
Calling File: /examples/complete/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
14 | resource "aws_sns_topic" "default" {
15 | count = module.this.enabled ? 1 : 0
16 | name = module.topic_label.id
17 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.default
File: /examples/complete/main.tf:5-18
5 | resource "aws_db_instance" "default" {
6 | allocated_storage = 10
7 | storage_type = "gp2"
8 | engine = "mysql"
9 | engine_version = "5.7"
10 | instance_class = "db.t2.micro"
11 | identifier = module.this.id
12 | db_name = "mydb"
13 | username = "foo"
14 | password = "foobarbaz"
15 | parameter_group_name = "default.mysql5.7"
16 | apply_immediately = "true"
17 | skip_final_snapshot = "true"
18 | }
github_actions scan results:
Passed checks: 40, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools