Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-s3-bucket
Description

Terraform module that creates an S3 bucket with an optional IAM user for external CI/CD systems

Stars

 151

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:54:47,624 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:54:47,625 [MainThread  ] [WARNI]  Failed to download module cloudposse/iam-s3-user/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 132, Failed checks: 27, Skipped checks: 0
    
    Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket_lifecycle_configuration.default[0]
    	File: /lifecycle.tf:159-248
    	Calling File: /examples/complete/main.tf:9-47
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket_lifecycle_configuration.default[0]
    	File: /lifecycle.tf:159-248
    	Calling File: /examples/complete/replication.tf:33-46
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket_lifecycle_configuration.default[0]
    	File: /lifecycle.tf:159-248
    	Calling File: /examples/complete/replication.tf:48-61
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket.default
    	File: /main.tf:33-41
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
    	File: /main.tf:33-41
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
    	File: /main.tf:33-41
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket_ownership_controls.default
    	File: /main.tf:509-518
    
    		509 | resource "aws_s3_bucket_ownership_controls" "default" {
    		510 |   count = local.enabled ? 1 : 0
    		511 | 
    		512 |   bucket = local.bucket_id
    		513 | 
    		514 |   rule {
    		515 |     object_ownership = var.s3_object_ownership
    		516 |   }
    		517 |   depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
    		518 | }
    
    Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket_ownership_controls.default
    	File: /main.tf:509-518
    
    		509 | resource "aws_s3_bucket_ownership_controls" "default" {
    		510 |   count = local.enabled ? 1 : 0
    		511 | 
    		512 |   bucket = local.bucket_id
    		513 | 
    		514 |   rule {
    		515 |     object_ownership = var.s3_object_ownership
    		516 |   }
    		517 |   depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
    		518 | }
    
    Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket_ownership_controls.default
    	File: /main.tf:509-518
    
    		509 | resource "aws_s3_bucket_ownership_controls" "default" {
    		510 |   count = local.enabled ? 1 : 0
    		511 | 
    		512 |   bucket = local.bucket_id
    		513 | 
    		514 |   rule {
    		515 |     object_ownership = var.s3_object_ownership
    		516 |   }
    		517 |   depends_on = [time_sleep.wait_for_aws_s3_bucket_settings]
    		518 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket.default
    	File: /main.tf:33-41
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
    	File: /main.tf:33-41
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
    	File: /main.tf:33-41
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: module.s3_bucket.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: module.s3_bucket_replication_target.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: module.s3_bucket_replication_target_extra.aws_s3_bucket.default
    	File: /main.tf:33-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		33 | resource "aws_s3_bucket" "default" {
    		34 |   count         = local.enabled ? 1 : 0
    		35 |   bucket        = local.bucket_name
    		36 |   force_destroy = var.force_destroy
    		37 | 
    		38 |   object_lock_enabled = local.object_lock_enabled
    		39 | 
    		40 |   tags = module.this.tags
    		41 | }
    
    github_actions scan results:
    
    Passed checks: 40, Failed checks: 0, Skipped checks: 0
    
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: