Repository | ContainerSolutions / terraform-examples |
Description | Simple and idiomatic examples of various Terraform functions and features. |
Stars | 154 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:54:35,992 [MainThread ] [WARNI] Failed to find context for resource.aws_iam_user.changeme_iam_user_users["jane.doe"]
2023-10-05 14:54:35,992 [MainThread ] [WARNI] Failed to find context for resource.aws_iam_user.changeme_iam_user_users["john.doe"]
terraform scan results:
Passed checks: 416, Failed checks: 646, Skipped checks: 0
Check: CKV_AWS_327: "Ensure RDS Clusters are encrypted using KMS CMKs"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_324: "Ensure that RDS Cluster log capture is enabled"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_96: "Ensure all data stored in Aurora is securely encrypted at rest"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-38.html
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_313: "Ensure RDS cluster configured to copy tags to snapshots"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_326: "Ensure that RDS Aurora Clusters have backtracking enabled"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_325: "Ensure that RDS Cluster audit logging is enabled for MySQL engine"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_162: "Ensure RDS cluster has IAM authentication enabled"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-cluster-has-iam-authentication-enabled.html
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_139: "Ensure that RDS clusters have deletion protection enabled"
FAILED for resource: aws_rds_cluster.changeme_aws_aurora_cluster_instance
File: /aws/aws_db_cluster_snapshot/simple/main.tf:38-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled.html
38 | resource "aws_rds_cluster" "changeme_aws_aurora_cluster_instance" {
39 | # The login credentials are stored as plain-text in the state files
40 | # https://www.terraform.io/docs/language/state/sensitive-data.html
41 | # For security, use a secrets manager
42 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
43 | master_username = var.changeme_aws_aurora_cluster_username
44 | master_password = var.changeme_aws_aurora_cluster_password
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_146: "Ensure that RDS database cluster snapshot is encrypted"
FAILED for resource: aws_db_cluster_snapshot.changeme_aws_aurora_snapshot
File: /aws/aws_db_cluster_snapshot/simple/main.tf:49-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-database-cluster-snapshot-is-encrypted-1.html
49 | resource "aws_db_cluster_snapshot" "changeme_aws_aurora_snapshot" {
50 | db_cluster_identifier = aws_rds_cluster.changeme_aws_aurora_cluster_instance.id
51 | db_cluster_snapshot_identifier = "changeme-snapshot-identifier"
52 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy.html
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_intance_myqsl
File: /aws/aws_db_instance/db_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "changeme_aws_db_intance_myqsl" {
28 | allocated_storage = 15
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | maintenance_window = "Sat:07:00-Sat:07:30"
36 | backup_retention_period = 0
37 | skip_final_snapshot = true
38 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_250: "Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-postgresql-instances-use-a-non-vulnerable-version-of-log-fdw-extension.html
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.changeme_simple_postgresql_instance
File: /aws/aws_db_instance/postgres/main.tf:27-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "changeme_simple_postgresql_instance" {
28 | allocated_storage = 5
29 | engine = "postgres"
30 | engine_version = "12.5"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_postgresql_instance"
33 | username = "changeme_username"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | storage_encrypted = false
37 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.changeme_aws_db_instance_prod
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "changeme_aws_db_instance_prod" {
28 | allocated_storage = 10
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t2.micro"
32 | name = "changeme_db_prod"
33 | identifier = "changeme-db-identifier"
34 | username = "changeme_username_prod"
35 | password = "changeme_password_prod"
36 | final_snapshot_identifier = "changeme-final-snapshot"
37 | skip_final_snapshot = true # change to false if you want to keep snapshot after deleting the instance
38 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.changeme_db_dev
File: /aws/aws_db_instance/restore_db_from_snapshot/main.tf:69-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
69 | resource "aws_db_instance" "changeme_db_dev" {
70 | instance_class = "db.t2.micro"
71 | identifier = "changeme-db-from-backup"
72 | snapshot_identifier = data.aws_db_snapshot.changeme_latest_prod_snapshot.id
73 | skip_final_snapshot = true
74 |
75 | lifecycle {
76 | ignore_changes = [snapshot_identifier]
77 | }
78 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.changeme_simple_aws_db_instance
File: /aws/aws_db_instance/simple/main.tf:27-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
27 | resource "aws_db_instance" "changeme_simple_aws_db_instance" {
28 | allocated_storage = 5
29 | engine = "mysql"
30 | engine_version = "5.7"
31 | instance_class = "db.t3.micro"
32 | name = "changeme_simple_aws_db_instance"
33 | username = "changemeusername"
34 | password = "changeme_password"
35 | skip_final_snapshot = true
36 | }
Check: CKV_AWS_360: "Ensure DocDB has an adequate backup retention period"
FAILED for resource: aws_docdb_cluster.changeme_aws_docdb_cluster_instance
File: /aws/aws_docdb_cluster/simple/main.tf:54-63
54 | resource "aws_docdb_cluster" "changeme_aws_docdb_cluster_instance" {
55 | # The login credentials are stored as plain-text in the state files
56 | # https://www.terraform.io/docs/language/state/sensitive-data.html
57 | # For security, use a secrets manager
58 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
59 | cluster_identifier = "changeme-aws-docdb-cluster"
60 | master_username = var.changeme_aws_docdb_cluster_username
61 | master_password = var.changeme_aws_docdb_cluster_password
62 | skip_final_snapshot = true
63 | }
Check: CKV_AWS_182: "Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_docdb_cluster.changeme_aws_docdb_cluster_instance
File: /aws/aws_docdb_cluster/simple/main.tf:54-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-102.html
54 | resource "aws_docdb_cluster" "changeme_aws_docdb_cluster_instance" {
55 | # The login credentials are stored as plain-text in the state files
56 | # https://www.terraform.io/docs/language/state/sensitive-data.html
57 | # For security, use a secrets manager
58 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
59 | cluster_identifier = "changeme-aws-docdb-cluster"
60 | master_username = var.changeme_aws_docdb_cluster_username
61 | master_password = var.changeme_aws_docdb_cluster_password
62 | skip_final_snapshot = true
63 | }
Check: CKV_AWS_74: "Ensure DocDB is encrypted at rest (default is unencrypted)"
FAILED for resource: aws_docdb_cluster.changeme_aws_docdb_cluster_instance
File: /aws/aws_docdb_cluster/simple/main.tf:54-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-28.html
54 | resource "aws_docdb_cluster" "changeme_aws_docdb_cluster_instance" {
55 | # The login credentials are stored as plain-text in the state files
56 | # https://www.terraform.io/docs/language/state/sensitive-data.html
57 | # For security, use a secrets manager
58 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
59 | cluster_identifier = "changeme-aws-docdb-cluster"
60 | master_username = var.changeme_aws_docdb_cluster_username
61 | master_password = var.changeme_aws_docdb_cluster_password
62 | skip_final_snapshot = true
63 | }
Check: CKV_AWS_85: "Ensure DocDB Logging is enabled"
FAILED for resource: aws_docdb_cluster.changeme_aws_docdb_cluster_instance
File: /aws/aws_docdb_cluster/simple/main.tf:54-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-19.html
54 | resource "aws_docdb_cluster" "changeme_aws_docdb_cluster_instance" {
55 | # The login credentials are stored as plain-text in the state files
56 | # https://www.terraform.io/docs/language/state/sensitive-data.html
57 | # For security, use a secrets manager
58 | # https://registry.terraform.io/modules/yurymkomarov/rds-aurora-cluster/aws/latest#secretsmanager_secret
59 | cluster_identifier = "changeme-aws-docdb-cluster"
60 | master_username = var.changeme_aws_docdb_cluster_username
61 | master_password = var.changeme_aws_docdb_cluster_password
62 | skip_final_snapshot = true
63 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.changeme_aws_dynamodb_table
File: /aws/aws_dynamodb_table/simple/main.tf:32-42
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
32 | resource "aws_dynamodb_table" "changeme_aws_dynamodb_table" {
33 | name = "changeme_table_name" # Explanation: the table's name, which needs to be unique to a region
34 | read_capacity = 10 # Explanation: the number of read units for the table
35 | write_capacity = 10 # Explanation: the number of write units for the table
36 | hash_key = var.changeme_hash_key
37 |
38 | attribute {
39 | name = var.changeme_hash_key # Explanation: the attribute must be of type [S]tring, [N]umber, or [B]inary
40 | type = "S"
41 | }
42 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.changeme_aws_dynamodb_table
File: /aws/aws_dynamodb_table/simple/main.tf:32-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
32 | resource "aws_dynamodb_table" "changeme_aws_dynamodb_table" {
33 | name = "changeme_table_name" # Explanation: the table's name, which needs to be unique to a region
34 | read_capacity = 10 # Explanation: the number of read units for the table
35 | write_capacity = 10 # Explanation: the number of write units for the table
36 | hash_key = var.changeme_hash_key
37 |
38 | attribute {
39 | name = var.changeme_hash_key # Explanation: the attribute must be of type [S]tring, [N]umber, or [B]inary
40 | type = "S"
41 | }
42 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.changeme_aws_dynamodb_table_resource
File: /aws/aws_dynamodb_table_item/simple/main.tf:45-55
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
45 | resource "aws_dynamodb_table" "changeme_aws_dynamodb_table_resource" {
46 | name = "changeme_dynamodb_table_name" # Explanation: the table's name, which needs to be unique to a region
47 | read_capacity = 10 # Explanation: the number of read units for the table
48 | write_capacity = 10 # Explanation: the number of write units for the table
49 | hash_key = var.changeme_item_hash_key
50 |
51 | attribute {
52 | name = var.changeme_item_hash_key # Explanation: the attribute must be of type [S]tring, [N]umber, or [B]inary
53 | type = "S"
54 | }
55 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.changeme_aws_dynamodb_table_resource
File: /aws/aws_dynamodb_table_item/simple/main.tf:45-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
45 | resource "aws_dynamodb_table" "changeme_aws_dynamodb_table_resource" {
46 | name = "changeme_dynamodb_table_name" # Explanation: the table's name, which needs to be unique to a region
47 | read_capacity = 10 # Explanation: the number of read units for the table
48 | write_capacity = 10 # Explanation: the number of write units for the table
49 | hash_key = var.changeme_item_hash_key
50 |
51 | attribute {
52 | name = var.changeme_item_hash_key # Explanation: the attribute must be of type [S]tring, [N]umber, or [B]inary
53 | type = "S"
54 | }
55 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.changeme_ebs_volume_snapshot
File: /aws/aws_ebs_volume/ebs_snapshot/main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
33 | resource "aws_ebs_volume" "changeme_ebs_volume_snapshot" {
34 | availability_zone = data.aws_availability_zones.changeme_az_list_ebs_snapshot.names[0]
35 | size = 10
36 | type = "standard"
37 | encrypted = false
38 | tags = {
39 | Name = "changeme_ebs_volume_tag"
40 | }
41 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: aws_ebs_volume.changeme_ebs_volume_snapshot
File: /aws/aws_ebs_volume/ebs_snapshot/main.tf:33-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
33 | resource "aws_ebs_volume" "changeme_ebs_volume_snapshot" {
34 | availability_zone = data.aws_availability_zones.changeme_az_list_ebs_snapshot.names[0]
35 | size = 10
36 | type = "standard"
37 | encrypted = false
38 | tags = {
39 | Name = "changeme_ebs_volume_tag"
40 | }
41 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.changeme_simple_aws_ebs_volume
File: /aws/aws_ebs_volume/simple/main.tf:32-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
32 | resource "aws_ebs_volume" "changeme_simple_aws_ebs_volume" {
33 | availability_zone = data.aws_availability_zones.changeme_available_az_list.names[0]
34 | size = 10
35 | type = "standard"
36 | encrypted = false
37 | tags = {
38 | Name = "changeme_ebs_volume_tag"
39 | }
40 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: aws_ebs_volume.changeme_simple_aws_ebs_volume
File: /aws/aws_ebs_volume/simple/main.tf:32-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
32 | resource "aws_ebs_volume" "changeme_simple_aws_ebs_volume" {
33 | availability_zone = data.aws_availability_zones.changeme_available_az_list.names[0]
34 | size = 10
35 | type = "standard"
36 | encrypted = false
37 | tags = {
38 | Name = "changeme_ebs_volume_tag"
39 | }
40 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.changeme_aws_ebs_volume
File: /aws/aws_ebs_volume/volume_attachment/main.tf:42-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
42 | resource "aws_ebs_volume" "changeme_aws_ebs_volume" {
43 | availability_zone = data.aws_availability_zones.changeme_az_list.names[0]
44 | size = 5
45 | type = "standard"
46 | encrypted = false
47 | tags = {
48 | Name = "changeme_ebs_volume_tag"
49 | }
50 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: aws_ebs_volume.changeme_aws_ebs_volume
File: /aws/aws_ebs_volume/volume_attachment/main.tf:42-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
42 | resource "aws_ebs_volume" "changeme_aws_ebs_volume" {
43 | availability_zone = data.aws_availability_zones.changeme_az_list.names[0]
44 | size = 5
45 | type = "standard"
46 | encrypted = false
47 | tags = {
48 | Name = "changeme_ebs_volume_tag"
49 | }
50 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.changeme_aws_instance
File: /aws/aws_ebs_volume/volume_attachment/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
55 | resource "aws_instance" "changeme_aws_instance" {
56 | instance_type = "t2.micro"
57 |
58 | # Explanation: AMI IDs are region-specific. This AMI ID is specific to the `us-east-1` region. If you use a different region, you will need to change this ID.
59 | ami = "ami-0c2b8ca1dad447f8a" # us-east-1 / Amazon Linux
60 | availability_zone = data.aws_availability_zones.changeme_az_list.names[0]
61 | tags = {
62 | Name = "changeme_aws_instance_tag"
63 | }
64 | user_data = <<-EOF
65 | #!/bin/bash
66 | echo "Hello_Example!"
67 | EOF
68 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.changeme_aws_instance
File: /aws/aws_ebs_volume/volume_attachment/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
55 | resource "aws_instance" "changeme_aws_instance" {
56 | instance_type = "t2.micro"
57 |
58 | # Explanation: AMI IDs are region-specific. This AMI ID is specific to the `us-east-1` region. If you use a different region, you will need to change this ID.
59 | ami = "ami-0c2b8ca1dad447f8a" # us-east-1 / Amazon Linux
60 | availability_zone = data.aws_availability_zones.changeme_az_list.names[0]
61 | tags = {
62 | Name = "changeme_aws_instance_tag"
63 | }
64 | user_data = <<-EOF
65 | #!/bin/bash
66 | echo "Hello_Example!"
67 | EOF
68 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.changeme_aws_instance
File: /aws/aws_ebs_volume/volume_attachment/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
55 | resource "aws_instance" "changeme_aws_instance" {
56 | instance_type = "t2.micro"
57 |
58 | # Explanation: AMI IDs are region-specific. This AMI ID is specific to the `us-east-1` region. If you use a different region, you will need to change this ID.
59 | ami = "ami-0c2b8ca1dad447f8a" # us-east-1 / Amazon Linux
60 | availability_zone = data.aws_availability_zones.changeme_az_list.names[0]
61 | tags = {
62 | Name = "changeme_aws_instance_tag"
63 | }
64 | user_data = <<-EOF
65 | #!/bin/bash
66 | echo "Hello_Example!"
67 | EOF
68 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.changeme_aws_instance
File: /aws/aws_ebs_volume/volume_attachment/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
55 | resource "aws_instance" "changeme_aws_instance" {
56 | instance_type = "t2.micro"
57 |
58 | # Explanation: AMI IDs are region-specific. This AMI ID is specific to the `us-east-1` region. If you use a different region, you will need to change this ID.
59 | ami = "ami-0c2b8ca1dad447f8a" # us-east-1 / Amazon Linux
60 | availability_zone = data.aws_availability_zones.changeme_az_list.names[0]
61 | tags = {
62 | Name = "changeme_aws_instance_tag"
63 | }
64 | user_data = <<-EOF
65 | #!/bin/bash
66 | echo "Hello_Example!"
67 | EOF
68 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.changeme_spot_and_fargate_subnet_public[0]
File: /aws/aws_eks/fargate/spot_and_fargate/main.tf:141-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
141 | resource "aws_subnet" "changeme_spot_and_fargate_subnet_public" {
142 | vpc_id = aws_vpc.changeme_spot_and_fargate_vpc.id
143 | cidr_block = element(var.changeme_spot_and_fargate_public_subnets, count.index)
144 | availability_zone = element(var.changeme_spot_and_fargate_availability_zones, count.index)
145 | count = length(var.changeme_spot_and_fargate_public_subnets)
146 | map_public_ip_on_launch = true
147 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.changeme_spot_and_fargate_eks_cluster
File: /aws/aws_eks/fargate/spot_and_fargate/main.tf:232-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
232 | resource "aws_eks_cluster" "changeme_spot_and_fargate_eks_cluster" {
233 | name = "${var.changeme_spot_and_fargate_name}-${var.changeme_spot_and_fargate_environment}"
234 | role_arn = aws_iam_role.changeme_spot_and_fargate_iam_role_cluster.arn
235 |
236 | vpc_config {
237 | subnet_ids = concat(aws_subnet.changeme_spot_and_fargate_subnet_public.*.id, aws_subnet.changeme_spot_and_fargate_subnet_private.*.id)
238 | }
239 |
240 | timeouts {
241 | delete = "30m"
242 | }
243 |
244 | depends_on = [
245 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSClusterPolicy,
246 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSServicePolicy
247 | ]
248 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.changeme_spot_and_fargate_eks_cluster
File: /aws/aws_eks/fargate/spot_and_fargate/main.tf:232-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
232 | resource "aws_eks_cluster" "changeme_spot_and_fargate_eks_cluster" {
233 | name = "${var.changeme_spot_and_fargate_name}-${var.changeme_spot_and_fargate_environment}"
234 | role_arn = aws_iam_role.changeme_spot_and_fargate_iam_role_cluster.arn
235 |
236 | vpc_config {
237 | subnet_ids = concat(aws_subnet.changeme_spot_and_fargate_subnet_public.*.id, aws_subnet.changeme_spot_and_fargate_subnet_private.*.id)
238 | }
239 |
240 | timeouts {
241 | delete = "30m"
242 | }
243 |
244 | depends_on = [
245 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSClusterPolicy,
246 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSServicePolicy
247 | ]
248 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.changeme_spot_and_fargate_eks_cluster
File: /aws/aws_eks/fargate/spot_and_fargate/main.tf:232-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
232 | resource "aws_eks_cluster" "changeme_spot_and_fargate_eks_cluster" {
233 | name = "${var.changeme_spot_and_fargate_name}-${var.changeme_spot_and_fargate_environment}"
234 | role_arn = aws_iam_role.changeme_spot_and_fargate_iam_role_cluster.arn
235 |
236 | vpc_config {
237 | subnet_ids = concat(aws_subnet.changeme_spot_and_fargate_subnet_public.*.id, aws_subnet.changeme_spot_and_fargate_subnet_private.*.id)
238 | }
239 |
240 | timeouts {
241 | delete = "30m"
242 | }
243 |
244 | depends_on = [
245 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSClusterPolicy,
246 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSServicePolicy
247 | ]
248 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.changeme_spot_and_fargate_eks_cluster
File: /aws/aws_eks/fargate/spot_and_fargate/main.tf:232-248
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
232 | resource "aws_eks_cluster" "changeme_spot_and_fargate_eks_cluster" {
233 | name = "${var.changeme_spot_and_fargate_name}-${var.changeme_spot_and_fargate_environment}"
234 | role_arn = aws_iam_role.changeme_spot_and_fargate_iam_role_cluster.arn
235 |
236 | vpc_config {
237 | subnet_ids = concat(aws_subnet.changeme_spot_and_fargate_subnet_public.*.id, aws_subnet.changeme_spot_and_fargate_subnet_private.*.id)
238 | }
239 |
240 | timeouts {
241 | delete = "30m"
242 | }
243 |
244 | depends_on = [
245 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSClusterPolicy,
246 | aws_iam_role_policy_attachment.changeme_spot_and_fargate_AmazonEKSServicePolicy
247 | ]
248 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.changeme_spot_and_fargate_subnet_public[1]
File: /aws/aws_eks/fargate/spot_and_fargate/main.tf:141-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
141 | resource "aws_subnet" "changeme_spot_and_fargate_subnet_public" {
142 | vpc_id = aws_vpc.changeme_spot_and_fargate_vpc.id
143 | cidr_block = element(var.changeme_spot_and_fargate_public_subnets, count.index)
144 | availability_zone = element(var.changeme_spot_and_fargate_availability_zones, count.index)
145 | count = length(var.changeme_spot_and_fargate_public_subnets)
146 | map_public_ip_on_launch = true
147 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.changeme_spot_and_fargate_subnet_public[2]
File: /aws/aws_eks/fargate/spot_and_fargate/main.tf:141-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
141 | resource "aws_subnet" "changeme_spot_and_fargate_subnet_public" {
142 | vpc_id = aws_vpc.changeme_spot_and_fargate_vpc.id
143 | cidr_block = element(var.changeme_spot_and_fargate_public_subnets, count.index)
144 | availability_zone = element(var.changeme_spot_and_fargate_availability_zones, count.index)
145 | count = length(var.changeme_spot_and_fargate_public_subnets)
146 | map_public_ip_on_launch = true
147 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.changeme_alb_aws_security_group
File: /aws/aws_elb/application_elb/main.tf:35-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
35 | resource "aws_security_group" "changeme_alb_aws_security_group" {
36 | name = "changeme-simple-alb-security-group"
37 | description = "Allow HTTP 80 inbound traffic"
38 | ingress {
39 | from_port = 80
40 | to_port = 80
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 |
45 | egress {
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.changeme_alb_aws_security_group
File: /aws/aws_elb/application_elb/main.tf:35-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
35 | resource "aws_security_group" "changeme_alb_aws_security_group" {
36 | name = "changeme-simple-alb-security-group"
37 | description = "Allow HTTP 80 inbound traffic"
38 | ingress {
39 | from_port = 80
40 | to_port = 80
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 |
45 | egress {
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.changeme_simple_alb_target_group
File: /aws/aws_elb/application_elb/main.tf:54-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
54 | resource "aws_lb_target_group" "changeme_simple_alb_target_group" {
55 | name = "changeme-simple-alb-target-group"
56 | port = 80
57 | protocol = "HTTP"
58 | vpc_id = data.aws_vpc.changeme_default_aws_vpc_alb.id
59 |
60 | health_check {
61 | healthy_threshold = 3
62 | unhealthy_threshold = 2
63 | interval = 5
64 | timeout = 2
65 | matcher = "200"
66 | }
67 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.changeme_simple_aws_alb
File: /aws/aws_elb/application_elb/main.tf:70-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
70 | resource "aws_lb" "changeme_simple_aws_alb" {
71 | name = "changeme-simple-alb"
72 | internal = false
73 | load_balancer_type = "application"
74 | subnets = data.aws_subnet_ids.changeme_aws_subnet_ids_alb.ids
75 | security_groups = [aws_security_group.changeme_alb_aws_security_group.id]
76 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.changeme_simple_aws_alb
File: /aws/aws_elb/application_elb/main.tf:70-76
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
70 | resource "aws_lb" "changeme_simple_aws_alb" {
71 | name = "changeme-simple-alb"
72 | internal = false
73 | load_balancer_type = "application"
74 | subnets = data.aws_subnet_ids.changeme_aws_subnet_ids_alb.ids
75 | security_groups = [aws_security_group.changeme_alb_aws_security_group.id]
76 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.changeme_simple_aws_alb
File: /aws/aws_elb/application_elb/main.tf:70-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
70 | resource "aws_lb" "changeme_simple_aws_alb" {
71 | name = "changeme-simple-alb"
72 | internal = false
73 | load_balancer_type = "application"
74 | subnets = data.aws_subnet_ids.changeme_aws_subnet_ids_alb.ids
75 | security_groups = [aws_security_group.changeme_alb_aws_security_group.id]
76 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.changeme_simple_alb_listener
File: /aws/aws_elb/application_elb/main.tf:79-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
79 | resource "aws_lb_listener" "changeme_simple_alb_listener" {
80 | load_balancer_arn = aws_lb.changeme_simple_aws_alb.arn
81 | port = "80"
82 | protocol = "HTTP"
83 |
84 | default_action {
85 | type = "forward"
86 | target_group_arn = aws_lb_target_group.changeme_simple_alb_target_group.arn
87 | }
88 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.changeme_simple_asg_launch_template_alb
File: /aws/aws_elb/application_elb/main.tf:102-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
102 | resource "aws_launch_template" "changeme_simple_asg_launch_template_alb" {
103 | name = "changeme-simple-asg-launch-template-alb"
104 | image_id = data.aws_ami.changeme_amazon_alb_ami.id #"ami-087c17d1fe0178315"
105 | instance_type = "t2.micro"
106 | vpc_security_group_ids = [aws_security_group.changeme_alb_aws_security_group.id]
107 | user_data = filebase64("${path.module}/user_data.sh")
108 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.changeme_simple_autoscaling_group_alb
File: /aws/aws_elb/application_elb/main.tf:111-122
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
111 | resource "aws_autoscaling_group" "changeme_simple_autoscaling_group_alb" {
112 | name = "changeme-simple-autoscaling-group-alb"
113 | availability_zones = ["us-east-1a", "us-east-1b"]
114 | desired_capacity = 2
115 | max_size = 2
116 | min_size = 2
117 | target_group_arns = [aws_lb_target_group.changeme_simple_alb_target_group.arn]
118 |
119 | launch_template {
120 | id = aws_launch_template.changeme_simple_asg_launch_template_alb.id
121 | }
122 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.changeme_aws_security_group
File: /aws/aws_elb/classic_elb/main.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
25 | resource "aws_security_group" "changeme_aws_security_group" {
26 | name = "changeme-aws-security-group-classic-elb-name"
27 | description = "Allow HTTP 8080 inbound traffic"
28 | ingress {
29 | from_port = 8080
30 | to_port = 8080
31 | protocol = "tcp"
32 | cidr_blocks = ["0.0.0.0/0"]
33 | }
34 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.changeme_first_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
38 | resource "aws_instance" "changeme_first_aws_instance" {
39 | ami = "ami-0c55b159cbfafe1f0"
40 | instance_type = "t2.micro"
41 | availability_zone = "us-east-2a"
42 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
43 | user_data = <<-EOF
44 | #!/bin/bash
45 | echo "Hello, World from Host1" > index.html
46 | nohup busybox httpd -f -p 8080 &
47 | EOF
48 | tags = {
49 | Name = "changeme_first_aws_instance_tag"
50 | }
51 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.changeme_first_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
38 | resource "aws_instance" "changeme_first_aws_instance" {
39 | ami = "ami-0c55b159cbfafe1f0"
40 | instance_type = "t2.micro"
41 | availability_zone = "us-east-2a"
42 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
43 | user_data = <<-EOF
44 | #!/bin/bash
45 | echo "Hello, World from Host1" > index.html
46 | nohup busybox httpd -f -p 8080 &
47 | EOF
48 | tags = {
49 | Name = "changeme_first_aws_instance_tag"
50 | }
51 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.changeme_first_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
38 | resource "aws_instance" "changeme_first_aws_instance" {
39 | ami = "ami-0c55b159cbfafe1f0"
40 | instance_type = "t2.micro"
41 | availability_zone = "us-east-2a"
42 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
43 | user_data = <<-EOF
44 | #!/bin/bash
45 | echo "Hello, World from Host1" > index.html
46 | nohup busybox httpd -f -p 8080 &
47 | EOF
48 | tags = {
49 | Name = "changeme_first_aws_instance_tag"
50 | }
51 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.changeme_first_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
38 | resource "aws_instance" "changeme_first_aws_instance" {
39 | ami = "ami-0c55b159cbfafe1f0"
40 | instance_type = "t2.micro"
41 | availability_zone = "us-east-2a"
42 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
43 | user_data = <<-EOF
44 | #!/bin/bash
45 | echo "Hello, World from Host1" > index.html
46 | nohup busybox httpd -f -p 8080 &
47 | EOF
48 | tags = {
49 | Name = "changeme_first_aws_instance_tag"
50 | }
51 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.changeme_second_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
55 | resource "aws_instance" "changeme_second_aws_instance" {
56 | ami = "ami-0c55b159cbfafe1f0"
57 | instance_type = "t2.micro"
58 | availability_zone = "us-east-2b"
59 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
60 | user_data = <<-EOF
61 | #!/bin/bash
62 | echo "Hello, World from Host2" > index.html
63 | nohup busybox httpd -f -p 8080 &
64 | EOF
65 | tags = {
66 | Name = "changeme_second_aws_instance_tag"
67 | }
68 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.changeme_second_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
55 | resource "aws_instance" "changeme_second_aws_instance" {
56 | ami = "ami-0c55b159cbfafe1f0"
57 | instance_type = "t2.micro"
58 | availability_zone = "us-east-2b"
59 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
60 | user_data = <<-EOF
61 | #!/bin/bash
62 | echo "Hello, World from Host2" > index.html
63 | nohup busybox httpd -f -p 8080 &
64 | EOF
65 | tags = {
66 | Name = "changeme_second_aws_instance_tag"
67 | }
68 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.changeme_second_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
55 | resource "aws_instance" "changeme_second_aws_instance" {
56 | ami = "ami-0c55b159cbfafe1f0"
57 | instance_type = "t2.micro"
58 | availability_zone = "us-east-2b"
59 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
60 | user_data = <<-EOF
61 | #!/bin/bash
62 | echo "Hello, World from Host2" > index.html
63 | nohup busybox httpd -f -p 8080 &
64 | EOF
65 | tags = {
66 | Name = "changeme_second_aws_instance_tag"
67 | }
68 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.changeme_second_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
55 | resource "aws_instance" "changeme_second_aws_instance" {
56 | ami = "ami-0c55b159cbfafe1f0"
57 | instance_type = "t2.micro"
58 | availability_zone = "us-east-2b"
59 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
60 | user_data = <<-EOF
61 | #!/bin/bash
62 | echo "Hello, World from Host2" > index.html
63 | nohup busybox httpd -f -p 8080 &
64 | EOF
65 | tags = {
66 | Name = "changeme_second_aws_instance_tag"
67 | }
68 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: aws_elb.changeme_simple_aws_elb
File: /aws/aws_elb/classic_elb/main.tf:72-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
72 | resource "aws_elb" "changeme_simple_aws_elb" {
73 | name = "changeme-simple-aws-elb"
74 | availability_zones = ["us-east-2a", "us-east-2b"]
75 |
76 |
77 |
78 | listener {
79 | instance_port = 8080
80 | instance_protocol = "http"
81 | lb_port = 8080
82 | lb_protocol = "http"
83 | }
84 |
85 | health_check {
86 | healthy_threshold = 10
87 | unhealthy_threshold = 2
88 | timeout = 5
89 | target = "HTTP:8080/"
90 | interval = 10
91 | }
92 |
93 | instances = [aws_instance.changeme_first_aws_instance.id, aws_instance.changeme_second_aws_instance.id]
94 | cross_zone_load_balancing = true
95 | idle_timeout = 400
96 | connection_draining = true
97 | connection_draining_timeout = 400
98 |
99 | tags = {
100 | Name = "changeme_simple_aws_elb_tag"
101 | }
102 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: aws_elb.changeme_simple_aws_elb
File: /aws/aws_elb/classic_elb/main.tf:72-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
72 | resource "aws_elb" "changeme_simple_aws_elb" {
73 | name = "changeme-simple-aws-elb"
74 | availability_zones = ["us-east-2a", "us-east-2b"]
75 |
76 |
77 |
78 | listener {
79 | instance_port = 8080
80 | instance_protocol = "http"
81 | lb_port = 8080
82 | lb_protocol = "http"
83 | }
84 |
85 | health_check {
86 | healthy_threshold = 10
87 | unhealthy_threshold = 2
88 | timeout = 5
89 | target = "HTTP:8080/"
90 | interval = 10
91 | }
92 |
93 | instances = [aws_instance.changeme_first_aws_instance.id, aws_instance.changeme_second_aws_instance.id]
94 | cross_zone_load_balancing = true
95 | idle_timeout = 400
96 | connection_draining = true
97 | connection_draining_timeout = 400
98 |
99 | tags = {
100 | Name = "changeme_simple_aws_elb_tag"
101 | }
102 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.changeme_simple_aws_nlb
File: /aws/aws_elb/network_elb/main.tf:43-48
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
43 | resource "aws_lb" "changeme_simple_aws_nlb" {
44 | name = "changeme-simple-nlb"
45 | internal = false
46 | load_balancer_type = "network"
47 | subnets = data.aws_subnet_ids.changeme_aws_subnet_ids_nlb.ids
48 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.changeme_simple_aws_nlb
File: /aws/aws_elb/network_elb/main.tf:43-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
43 | resource "aws_lb" "changeme_simple_aws_nlb" {
44 | name = "changeme-simple-nlb"
45 | internal = false
46 | load_balancer_type = "network"
47 | subnets = data.aws_subnet_ids.changeme_aws_subnet_ids_nlb.ids
48 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.changeme_simple_aws_nlb
File: /aws/aws_elb/network_elb/main.tf:43-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
43 | resource "aws_lb" "changeme_simple_aws_nlb" {
44 | name = "changeme-simple-nlb"
45 | internal = false
46 | load_balancer_type = "network"
47 | subnets = data.aws_subnet_ids.changeme_aws_subnet_ids_nlb.ids
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.changeme_nlb_aws_security_group
File: /aws/aws_elb/network_elb/main.tf:63-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
63 | resource "aws_security_group" "changeme_nlb_aws_security_group" {
64 | name = "changeme-simple-nlb-security-group"
65 | description = "Allow HTTP 80 inbound traffic"
66 | ingress {
67 | from_port = 80
68 | to_port = 80
69 | protocol = "tcp"
70 | cidr_blocks = ["0.0.0.0/0"]
71 | }
72 |
73 | egress {
74 | from_port = 0
75 | to_port = 0
76 | protocol = "-1"
77 | cidr_blocks = ["0.0.0.0/0"]
78 | }
79 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.changeme_nlb_aws_security_group
File: /aws/aws_elb/network_elb/main.tf:63-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
63 | resource "aws_security_group" "changeme_nlb_aws_security_group" {
64 | name = "changeme-simple-nlb-security-group"
65 | description = "Allow HTTP 80 inbound traffic"
66 | ingress {
67 | from_port = 80
68 | to_port = 80
69 | protocol = "tcp"
70 | cidr_blocks = ["0.0.0.0/0"]
71 | }
72 |
73 | egress {
74 | from_port = 0
75 | to_port = 0
76 | protocol = "-1"
77 | cidr_blocks = ["0.0.0.0/0"]
78 | }
79 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.changeme_simple_asg_launch_template_nlb
File: /aws/aws_elb/network_elb/main.tf:93-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
93 | resource "aws_launch_template" "changeme_simple_asg_launch_template_nlb" {
94 | name = "changeme-simple-asg-launch-template-nlb"
95 | image_id = data.aws_ami.changeme_amazon_nlb_ami.id
96 | instance_type = "t2.micro"
97 | vpc_security_group_ids = [aws_security_group.changeme_nlb_aws_security_group.id]
98 | user_data = filebase64("${path.module}/user_data.sh")
99 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.changeme_simple_autoscaling_group_nlb
File: /aws/aws_elb/network_elb/main.tf:102-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
102 | resource "aws_autoscaling_group" "changeme_simple_autoscaling_group_nlb" {
103 | name = "changeme-simple-autoscaling-group-nlb"
104 | availability_zones = ["us-east-1a", "us-east-1b"]
105 | desired_capacity = 2
106 | max_size = 2
107 | min_size = 2
108 | target_group_arns = [aws_lb_target_group.changeme_simple_nlb_target_group.arn]
109 |
110 | launch_template {
111 | id = aws_launch_template.changeme_simple_asg_launch_template_nlb.id
112 | }
113 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_group_policy_attachment.changeme_iam_group_policy_attachment_administrators
File: /aws/aws_iam/groups/main.tf:57-60
57 | resource "aws_iam_group_policy_attachment" "changeme_iam_group_policy_attachment_administrators" {
58 | group = aws_iam_group.changeme_iam_groups_groups[1].name
59 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
60 | }
Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: aws_iam_group_policy.changeme_iam_group_policy_dev
File: /aws/aws_iam/groups/main.tf:63-78
63 | resource "aws_iam_group_policy" "changeme_iam_group_policy_dev" {
64 | name = "changeme-iam-group-policy-dev"
65 | group = aws_iam_group.changeme_iam_groups_groups[1].id
66 | policy = < index.html
46 | nohup busybox httpd -f -p 8080 &
47 | EOF
48 | tags = {
49 | Name = "changeme_first_aws_instance_tag"
50 | }
51 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_second_aws_instance
File: /aws/aws_elb/classic_elb/main.tf:55-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
55 | resource "aws_instance" "changeme_second_aws_instance" {
56 | ami = "ami-0c55b159cbfafe1f0"
57 | instance_type = "t2.micro"
58 | availability_zone = "us-east-2b"
59 | vpc_security_group_ids = [aws_security_group.changeme_aws_security_group.id]
60 | user_data = <<-EOF
61 | #!/bin/bash
62 | echo "Hello, World from Host2" > index.html
63 | nohup busybox httpd -f -p 8080 &
64 | EOF
65 | tags = {
66 | Name = "changeme_second_aws_instance_tag"
67 | }
68 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_ami_lookup_aws_instance
File: /aws/aws_instance/ami_lookup/main.tf:47-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
47 | resource "aws_instance" "changeme_ami_lookup_aws_instance" {
48 | ami = data.aws_ami.changeme_aws_ami.id
49 | instance_type = "t3.micro"
50 |
51 | tags = {
52 | Name = "changeme_ami_lookup_aws_instance"
53 | }
54 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_aws_instance_count_count[0]
File: /aws/aws_instance/count/main.tf:25-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
25 | resource "aws_instance" "changeme_aws_instance_count_count" {
26 | # Documentation: https://www.terraform.io/docs/language/meta-arguments/count.html
27 | count = 2
28 | instance_type = "t2.nano"
29 | ami = "ami-0ddbdea833a8d2f0d"
30 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_aws_instance_count_foreach["a"]
File: /aws/aws_instance/for_each/main.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
25 | resource "aws_instance" "changeme_aws_instance_count_foreach" {
26 | # Documentation: https://www.terraform.io/docs/language/meta-arguments/for_each.html
27 | for_each = {
28 | "a" = "1"
29 | "b" = "2"
30 | }
31 |
32 | tags = {
33 | Name = "aws_resource_count_${each.key}${each.value}"
34 | }
35 | instance_type = "t2.nano"
36 | ami = "ami-0ddbdea833a8d2f0d"
37 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_remote_exec_inline_aws_instance[0]
File: /aws/aws_instance/remote-exec/inline/main.tf:83-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
83 | resource "aws_instance" "changeme_remote_exec_inline_aws_instance" {
84 | # Documentation: https://www.terraform.io/docs/language/meta-arguments/count.html
85 | count = 2
86 |
87 | instance_type = "t2.nano"
88 | ami = "ami-0ddbdea833a8d2f0d"
89 | key_name = aws_key_pair.changeme_remote_exec_inline_aws_key_pair.id # the name of the SSH keypair to use for provisioning
90 | vpc_security_group_ids = [aws_security_group.changeme_remote_exec_inline_security_group.id]
91 |
92 | # Documentation: https://www.terraform.io/docs/language/resources/provisioners/connection.html
93 | connection {
94 | host = self.public_ip
95 | user = var.changeme_aws_instance_remote_exec_inline_ssh_username
96 | private_key = file(var.changeme_aws_instance_remote_exec_inline_ssh_private_key_path)
97 | agent = false # don't use SSH agent because we have the private key right here
98 | }
99 |
100 | # Documentation: https://www.terraform.io/docs/language/resources/provisioners/remote-exec.html
101 | provisioner "remote-exec" {
102 | inline = [
103 | "echo ${self.ami}"
104 | ]
105 | }
106 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_remote_exec_inline_windows_aws_instance
File: /aws/aws_instance/remote-exec/inline/windows/main.tf:86-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
86 | resource "aws_instance" "changeme_remote_exec_inline_windows_aws_instance" {
87 | instance_type = "t2.micro"
88 | ami = "ami-0f93c815788872c5d"
89 | key_name = aws_key_pair.changeme_remote_exec_inline_windows_key_pair.id # the name of the SSH keypair to use for provisioning
90 | vpc_security_group_ids = [aws_security_group.changeme_remote_exec_inline_windows_security_group.id]
91 | user_data = file("scripts/user_data.txt")
92 | get_password_data = true
93 | tags = { Name = "terraform-examples" }
94 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_aws_resource_simple
File: /aws/aws_instance/simple/main.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
29 | resource "aws_instance" "changeme_aws_resource_simple" {
30 | instance_type = "t2.nano"
31 | ami = "ami-0ddbdea833a8d2f0d"
32 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_simple_ssh_access_aws_instance
File: /aws/aws_instance/simple_ssh_access/main.tf:90-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
90 | resource "aws_instance" "changeme_simple_ssh_access_aws_instance" {
91 | # Documentation: https://www.terraform.io/docs/language/meta-arguments/count.html
92 | instance_type = "t2.nano"
93 | ami = "ami-0ddbdea833a8d2f0d"
94 | key_name = aws_key_pair.changeme_simple_ssh_access_aws_key_pair.id # the name of the SSH keypair to use for provisioning
95 | vpc_security_group_ids = [aws_security_group.changeme_simple_ssh_access_security_group.id]
96 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_aws_instance_count_count[1]
File: /aws/aws_instance/count/main.tf:25-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
25 | resource "aws_instance" "changeme_aws_instance_count_count" {
26 | # Documentation: https://www.terraform.io/docs/language/meta-arguments/count.html
27 | count = 2
28 | instance_type = "t2.nano"
29 | ami = "ami-0ddbdea833a8d2f0d"
30 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_aws_instance_count_foreach["b"]
File: /aws/aws_instance/for_each/main.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
25 | resource "aws_instance" "changeme_aws_instance_count_foreach" {
26 | # Documentation: https://www.terraform.io/docs/language/meta-arguments/for_each.html
27 | for_each = {
28 | "a" = "1"
29 | "b" = "2"
30 | }
31 |
32 | tags = {
33 | Name = "aws_resource_count_${each.key}${each.value}"
34 | }
35 | instance_type = "t2.nano"
36 | ami = "ami-0ddbdea833a8d2f0d"
37 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.changeme_remote_exec_inline_aws_instance[1]
File: /aws/aws_instance/remote-exec/inline/main.tf:83-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
83 | resource "aws_instance" "changeme_remote_exec_inline_aws_instance" {
84 | # Documentation: https://www.terraform.io/docs/language/meta-arguments/count.html
85 | count = 2
86 |
87 | instance_type = "t2.nano"
88 | ami = "ami-0ddbdea833a8d2f0d"
89 | key_name = aws_key_pair.changeme_remote_exec_inline_aws_key_pair.id # the name of the SSH keypair to use for provisioning
90 | vpc_security_group_ids = [aws_security_group.changeme_remote_exec_inline_security_group.id]
91 |
92 | # Documentation: https://www.terraform.io/docs/language/resources/provisioners/connection.html
93 | connection {
94 | host = self.public_ip
95 | user = var.changeme_aws_instance_remote_exec_inline_ssh_username
96 | private_key = file(var.changeme_aws_instance_remote_exec_inline_ssh_private_key_path)
97 | agent = false # don't use SSH agent because we have the private key right here
98 | }
99 |
100 | # Documentation: https://www.terraform.io/docs/language/resources/provisioners/remote-exec.html
101 | provisioner "remote-exec" {
102 | inline = [
103 | "echo ${self.ami}"
104 | ]
105 | }
106 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.changeme_aws_route53_simple_zone
File: /aws/aws_route53/simple/main.tf:26-28
26 | resource "aws_route53_zone" "changeme_aws_route53_simple_zone" {
27 | name = "changeme.com"
28 | }
Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
FAILED for resource: aws_iam_group_policy.changeme_iam_group_policy_dev
File: /aws/aws_iam/groups/main.tf:63-78
63 | resource "aws_iam_group_policy" "changeme_iam_group_policy_dev" {
64 | name = "changeme-iam-group-policy-dev"
65 | group = aws_iam_group.changeme_iam_groups_groups[1].id
66 | policy = <