Repository | databricks / terraform-databricks-examples |
Description | Examples of using Terraform to deploy Databricks resources |
Stars | 124 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:56:09,117 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,117 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:3.2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,117 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:3.11.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,117 [MainThread ] [WARNI] Failed to download module github.com/databricks/terraform-databricks-examples/modules/adb-with-private-links-exfiltration-protection:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,117 [MainThread ] [WARNI] Failed to download module github.com/databricks/terraform-databricks-examples/modules/adb-with-private-link-standard:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,118 [MainThread ] [WARNI] Failed to download module github.com/databricks/terraform-databricks-examples/modules/aws-workspace-basic:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,118 [MainThread ] [WARNI] Failed to download module github.com/databricks/terraform-databricks-examples/modules/aws-workspace-with-firewall:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,118 [MainThread ] [WARNI] Failed to download module github.com/databricks/terraform-databricks-examples/modules/aws-exfiltration-protection:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:56:09,118 [MainThread ] [WARNI] Failed to download module github.com/databricks/terraform-databricks-examples/modules/adb-exfiltration-protection:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 602, Failed checks: 303, Skipped checks: 0
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: azurerm_key_vault.akv1
File: /examples/adb-external-hive-metastore/akv.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
1 | resource "azurerm_key_vault" "akv1" {
2 | name = "${local.prefix}-akv"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: azurerm_key_vault.akv1
File: /examples/adb-external-hive-metastore/akv.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
1 | resource "azurerm_key_vault" "akv1" {
2 | name = "${local.prefix}-akv"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: azurerm_key_vault.akv1
File: /examples/adb-external-hive-metastore/akv.tf:1-10
1 | resource "azurerm_key_vault" "akv1" {
2 | name = "${local.prefix}-akv"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: azurerm_key_vault.akv1
File: /examples/adb-external-hive-metastore/akv.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
1 | resource "azurerm_key_vault" "akv1" {
2 | name = "${local.prefix}-akv"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV_AZURE_113: "Ensure that SQL server disables public network access"
FAILED for resource: azurerm_mssql_server.metastoreserver
File: /examples/adb-external-hive-metastore/sqlserver.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-sql-server-disables-public-network-access.html
9 | resource "azurerm_mssql_server" "metastoreserver" {
10 | name = "${random_string.naming.result}mssqlserver"
11 | resource_group_name = azurerm_resource_group.this.name
12 | location = azurerm_resource_group.this.location
13 | version = "12.0"
14 | administrator_login = var.db_username // sensitive data stored as env variables locally
15 | administrator_login_password = var.db_password
16 | public_network_access_enabled = true // consider to disable public access to the server, to set as false
17 | }
Check: CKV_AZURE_52: "Ensure MSSQL is using the latest version of TLS encryption"
FAILED for resource: azurerm_mssql_server.metastoreserver
File: /examples/adb-external-hive-metastore/sqlserver.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-mssql-is-using-the-latest-version-of-tls-encryption.html
9 | resource "azurerm_mssql_server" "metastoreserver" {
10 | name = "${random_string.naming.result}mssqlserver"
11 | resource_group_name = azurerm_resource_group.this.name
12 | location = azurerm_resource_group.this.location
13 | version = "12.0"
14 | administrator_login = var.db_username // sensitive data stored as env variables locally
15 | administrator_login_password = var.db_password
16 | public_network_access_enabled = true // consider to disable public access to the server, to set as false
17 | }
Check: CKV_AZURE_224: "Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity"
FAILED for resource: azurerm_mssql_database.sqlmetastore
File: /examples/adb-external-hive-metastore/sqlserver.tf:19-30
19 | resource "azurerm_mssql_database" "sqlmetastore" {
20 | name = "${random_string.naming.result}metastore"
21 | server_id = azurerm_mssql_server.metastoreserver.id
22 | collation = "SQL_Latin1_General_CP1_CI_AS"
23 | license_type = "LicenseIncluded"
24 | read_scale = true
25 | max_size_gb = 4
26 | sku_name = "BC_Gen5_2"
27 | zone_redundant = true
28 | tags = local.tags
29 |
30 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.hiveurl
File: /examples/adb-external-hive-metastore/stage-2-workspace-objects/secrets.tf:10-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
10 | resource "azurerm_key_vault_secret" "hiveurl" {
11 | name = "HIVE-URL"
12 | value = local.db_url
13 | key_vault_id = var.key_vault_id
14 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.hiveurl
File: /examples/adb-external-hive-metastore/stage-2-workspace-objects/secrets.tf:10-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
10 | resource "azurerm_key_vault_secret" "hiveurl" {
11 | name = "HIVE-URL"
12 | value = local.db_url
13 | key_vault_id = var.key_vault_id
14 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.hiveuser
File: /examples/adb-external-hive-metastore/stage-2-workspace-objects/secrets.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
16 | resource "azurerm_key_vault_secret" "hiveuser" {
17 | name = "HIVE-USER"
18 | value = var.db_username # use local group instead of var
19 | key_vault_id = var.key_vault_id
20 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.hiveuser
File: /examples/adb-external-hive-metastore/stage-2-workspace-objects/secrets.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
16 | resource "azurerm_key_vault_secret" "hiveuser" {
17 | name = "HIVE-USER"
18 | value = var.db_username # use local group instead of var
19 | key_vault_id = var.key_vault_id
20 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.hivepwd
File: /examples/adb-external-hive-metastore/stage-2-workspace-objects/secrets.tf:22-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
22 | resource "azurerm_key_vault_secret" "hivepwd" {
23 | name = "HIVE-PASSWORD"
24 | value = var.db_password
25 | key_vault_id = var.key_vault_id
26 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.hivepwd
File: /examples/adb-external-hive-metastore/stage-2-workspace-objects/secrets.tf:22-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
22 | resource "azurerm_key_vault_secret" "hivepwd" {
23 | name = "HIVE-PASSWORD"
24 | value = var.db_password
25 | key_vault_id = var.key_vault_id
26 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: azurerm_databricks_workspace.this
File: /examples/adb-external-hive-metastore/workspace.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
1 | resource "azurerm_databricks_workspace" "this" {
2 | name = "${local.prefix}-workspace"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | sku = "premium"
6 | tags = local.tags
7 | customer_managed_key_enabled = true
8 | custom_parameters {
9 | no_public_ip = var.no_public_ip
10 | virtual_network_id = azurerm_virtual_network.this.id
11 | private_subnet_name = azurerm_subnet.private.name
12 | public_subnet_name = azurerm_subnet.public.name
13 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
14 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
15 | storage_account_name = local.dbfsname
16 | }
17 | # We need this, otherwise destroy doesn't cleanup things correctly
18 | depends_on = [
19 | azurerm_subnet_network_security_group_association.public,
20 | azurerm_subnet_network_security_group_association.private
21 | ]
22 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.kafka_broker.azurerm_linux_virtual_machine.general_vm
File: /examples/adb-kafka/modules/general_vm/main.tf:32-63
Calling File: /examples/adb-kafka/main.tf:25-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
32 | resource "azurerm_linux_virtual_machine" "general_vm" {
33 | name = "${var.vm_name}-vm"
34 | resource_group_name = var.resource_group_name
35 | location = var.region
36 | size = "Standard_D16s_v3"
37 | admin_username = "azureuser"
38 |
39 | network_interface_ids = [
40 | azurerm_network_interface.general-nic.id,
41 | ]
42 |
43 | admin_ssh_key {
44 | username = "azureuser"
45 | public_key = tls_private_key.general_ssh.public_key_openssh // using generated ssh key
46 | }
47 |
48 | os_disk {
49 | caching = "ReadWrite"
50 | storage_account_type = "Standard_LRS"
51 | }
52 |
53 | source_image_reference {
54 | publisher = "Canonical"
55 | offer = "0001-com-ubuntu-server-focal"
56 | sku = "20_04-lts-gen2"
57 | version = "latest"
58 | }
59 |
60 | depends_on = [
61 | local_file.private_key,
62 | ]
63 | }
Check: CKV_AZURE_93: "Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption"
FAILED for resource: module.kafka_broker.azurerm_managed_disk.general_disk
File: /examples/adb-kafka/modules/general_vm/main.tf:65-72
Calling File: /examples/adb-kafka/main.tf:25-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption.html
65 | resource "azurerm_managed_disk" "general_disk" {
66 | name = "${var.vm_name}-disk"
67 | location = var.region
68 | resource_group_name = var.resource_group_name
69 | storage_account_type = "Standard_LRS"
70 | create_option = "Empty"
71 | disk_size_gb = 60
72 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_group.vmnsg
File: /examples/adb-kafka/vnet.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
9 | resource "azurerm_network_security_group" "vmnsg" {
10 | name = "${local.prefix}-vm-nsg"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 |
14 | security_rule {
15 | name = "allow_ssh"
16 | priority = 200
17 | direction = "Inbound"
18 | access = "Allow"
19 | protocol = "Tcp"
20 | source_port_range = "*"
21 | destination_port_range = "22"
22 | source_address_prefix = "*"
23 | destination_address_prefix = "*"
24 | }
25 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: azurerm_databricks_workspace.this
File: /examples/adb-kafka/workspace.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
1 | resource "azurerm_databricks_workspace" "this" {
2 | name = "${local.prefix}-workspace"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | sku = "premium"
6 | tags = local.tags
7 | customer_managed_key_enabled = true
8 | //infrastructure_encryption_enabled = true
9 | custom_parameters {
10 | no_public_ip = var.no_public_ip
11 | virtual_network_id = azurerm_virtual_network.this.id
12 | private_subnet_name = azurerm_subnet.private.name
13 | public_subnet_name = azurerm_subnet.public.name
14 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
15 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
16 | storage_account_name = local.dbfsname
17 | }
18 | # We need this, otherwise destroy doesn't cleanup things correctly
19 | depends_on = [
20 | azurerm_subnet_network_security_group_association.public,
21 | azurerm_subnet_network_security_group_association.private
22 | ]
23 | }
Check: CKV_AZURE_219: "Ensure Firewall defines a firewall policy"
FAILED for resource: azurerm_firewall.hubfw
File: /examples/adb-private-links/firewall.tf:9-21
9 | resource "azurerm_firewall" "hubfw" {
10 | name = "hubfirewall"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 | sku_name = "AZFW_VNet"
14 | sku_tier = "Standard"
15 |
16 | ip_configuration {
17 | name = "configuration"
18 | subnet_id = azurerm_subnet.hubfw.id
19 | public_ip_address_id = azurerm_public_ip.fwpublicip.id
20 | }
21 | }
Check: CKV_AZURE_216: "Ensure DenyIntelMode is set to Deny for Azure Firewalls"
FAILED for resource: azurerm_firewall.hubfw
File: /examples/adb-private-links/firewall.tf:9-21
9 | resource "azurerm_firewall" "hubfw" {
10 | name = "hubfirewall"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 | sku_name = "AZFW_VNet"
14 | sku_tier = "Standard"
15 |
16 | ip_configuration {
17 | name = "configuration"
18 | subnet_id = azurerm_subnet.hubfw.id
19 | public_ip_address_id = azurerm_public_ip.fwpublicip.id
20 | }
21 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
Calling File: /examples/adb-splunk/main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
Calling File: /examples/adb-splunk/main.tf:43-47
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
Calling File: /examples/adb-splunk/main.tf:43-47
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
Calling File: /examples/adb-splunk/main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
Calling File: /examples/adb-splunk/main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV_AZURE_34: "Ensure that 'Public access level' is set to Private for blob containers"
FAILED for resource: module.adls_content.azurerm_storage_container.example_container
File: /examples/adb-splunk/modules/adls_content/main.tf:36-40
Calling File: /examples/adb-splunk/main.tf:43-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/set-public-access-level-to-private-for-blob-containers.html
36 | resource "azurerm_storage_container" "example_container" {
37 | name = "cnt1"
38 | storage_account_name = azurerm_storage_account.personaldropbox.name
39 | container_access_type = "container" // for anonymous read container from public
40 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.example
File: /examples/adb-splunk/splunkvm.tf:32-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
32 | resource "azurerm_linux_virtual_machine" "example" {
33 | name = "splunk-vm"
34 | resource_group_name = azurerm_resource_group.this.name
35 | location = azurerm_resource_group.this.location
36 | size = "Standard_DS4_v2"
37 | admin_username = "azureuser"
38 |
39 | network_interface_ids = [
40 | azurerm_network_interface.splunk-nic.id,
41 | ]
42 |
43 | admin_ssh_key {
44 | username = "azureuser"
45 | public_key = tls_private_key.splunk_ssh.public_key_openssh // using generated ssh key
46 | # public_key = file("/home/azureuser/.ssh/authorized_keys") //using existing ssh key
47 | }
48 |
49 | os_disk {
50 | caching = "ReadWrite"
51 | storage_account_type = "Standard_LRS"
52 | }
53 |
54 | source_image_reference {
55 | publisher = "Canonical"
56 | offer = "0001-com-ubuntu-server-focal"
57 | sku = "20_04-lts-gen2"
58 | version = "latest"
59 | }
60 |
61 | depends_on = [
62 | local_file.private_key,
63 | local_file.setupscript,
64 | module.adls_content,
65 | azurerm_storage_blob.splunk_setup_file,
66 | azurerm_storage_blob.splunk_databricks_app_file
67 | ]
68 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: azurerm_databricks_workspace.this
File: /examples/adb-splunk/workspace.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
1 | resource "azurerm_databricks_workspace" "this" {
2 | name = "${local.prefix}-workspace"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | sku = "premium"
6 | tags = local.tags
7 | //infrastructure_encryption_enabled = true
8 | custom_parameters {
9 | no_public_ip = var.no_public_ip
10 | virtual_network_id = azurerm_virtual_network.this.id
11 | private_subnet_name = azurerm_subnet.private.name
12 | public_subnet_name = azurerm_subnet.public.name
13 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
14 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
15 | storage_account_name = local.dbfsname
16 | }
17 | # We need this, otherwise destroy doesn't cleanup things correctly
18 | depends_on = [
19 | azurerm_subnet_network_security_group_association.public,
20 | azurerm_subnet_network_security_group_association.private
21 | ]
22 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_linux_virtual_machine.example
File: /examples/adb-squid-proxy/main/squid.tf:39-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
39 | resource "azurerm_linux_virtual_machine" "example" {
40 | name = "squid-vm"
41 | resource_group_name = azurerm_resource_group.this.name
42 | location = azurerm_resource_group.this.location
43 | size = "Standard_F2"
44 | admin_username = "azureuser"
45 |
46 | network_interface_ids = [
47 | azurerm_network_interface.squid-nic.id,
48 | ]
49 |
50 | admin_ssh_key {
51 | username = "azureuser"
52 | public_key = tls_private_key.squid_ssh.public_key_openssh // using generated ssh key
53 | # public_key = file("/home/azureuser/.ssh/authorized_keys") //using existing ssh key
54 | }
55 |
56 | os_disk {
57 | caching = "ReadWrite"
58 | storage_account_type = "Standard_LRS"
59 | }
60 |
61 | # use custom image to build vm
62 | source_image_id = data.azurerm_image.customimage.id
63 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_rule.ssh
File: /examples/adb-squid-proxy/main/vnet.tf:101-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
101 | resource "azurerm_network_security_rule" "ssh" {
102 | name = "ssh_squid"
103 | priority = 300
104 | direction = "Inbound"
105 | access = "Allow"
106 | protocol = "Tcp"
107 | source_port_range = "*"
108 | destination_port_range = "22"
109 | source_address_prefix = "*" //temporary rule for testing, allow any ip to connect; you can change to your client ip
110 | destination_address_prefix = "*"
111 | resource_group_name = azurerm_resource_group.this.name
112 | network_security_group_name = azurerm_network_security_group.squidnsg.name
113 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: azurerm_databricks_workspace.this
File: /examples/adb-squid-proxy/main/workspace.tf:5-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
5 | resource "azurerm_databricks_workspace" "this" {
6 | name = "${local.prefix}-workspace"
7 | resource_group_name = azurerm_resource_group.this.name
8 | location = azurerm_resource_group.this.location
9 | sku = "premium"
10 | tags = local.tags
11 |
12 | custom_parameters {
13 | no_public_ip = true
14 | virtual_network_id = azurerm_virtual_network.dbvnet.id
15 | private_subnet_name = azurerm_subnet.private.name
16 | public_subnet_name = azurerm_subnet.public.name
17 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
18 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
19 | }
20 | # We need this, otherwise destroy doesn't cleanup things correctly
21 | depends_on = [
22 | azurerm_subnet_network_security_group_association.public,
23 | azurerm_subnet_network_security_group_association.private,
24 | azurerm_linux_virtual_machine.example // make sure workspace is after squid ready and configured
25 | ]
26 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV_AZURE_95: "Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets"
FAILED for resource: azurerm_virtual_machine_scale_set.vmss
File: /examples/adb-squid-proxy/modules/vm/main.tf:100-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-automatic-os-image-patching-is-enabled-for-virtual-machine-scale-sets.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: module.test_vm_instance.azurerm_linux_virtual_machine.teradatavm
File: /examples/adb-teradata/modules/teradata_vm/main.tf:32-64
Calling File: /examples/adb-teradata/main.tf:25-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
32 | resource "azurerm_linux_virtual_machine" "teradatavm" {
33 | name = "teradata-vm"
34 | resource_group_name = var.resource_group_name
35 | location = var.region
36 | size = "Standard_D16s_v3"
37 | admin_username = "azureuser"
38 |
39 | network_interface_ids = [
40 | azurerm_network_interface.teradata-nic.id,
41 | ]
42 |
43 | admin_ssh_key {
44 | username = "azureuser"
45 | public_key = tls_private_key.teradata_ssh.public_key_openssh // using generated ssh key
46 | # public_key = file("/home/azureuser/.ssh/authorized_keys") //using existing ssh key
47 | }
48 |
49 | os_disk {
50 | caching = "ReadWrite"
51 | storage_account_type = "Standard_LRS"
52 | }
53 |
54 | source_image_reference {
55 | publisher = "Canonical"
56 | offer = "0001-com-ubuntu-server-focal"
57 | sku = "20_04-lts-gen2"
58 | version = "latest"
59 | }
60 |
61 | depends_on = [
62 | local_file.private_key,
63 | ]
64 | }
Check: CKV_AZURE_93: "Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption"
FAILED for resource: module.test_vm_instance.azurerm_managed_disk.teradatadisk
File: /examples/adb-teradata/modules/teradata_vm/main.tf:66-73
Calling File: /examples/adb-teradata/main.tf:25-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption.html
66 | resource "azurerm_managed_disk" "teradatadisk" {
67 | name = "${var.naming_prefix}-disk1"
68 | location = var.region
69 | resource_group_name = var.resource_group_name
70 | storage_account_type = "Standard_LRS"
71 | create_option = "Empty"
72 | disk_size_gb = 60
73 | }
Check: CKV_AZURE_10: "Ensure that SSH access is restricted from the internet"
FAILED for resource: azurerm_network_security_group.vmnsg
File: /examples/adb-teradata/vnet.tf:9-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-3.html
9 | resource "azurerm_network_security_group" "vmnsg" {
10 | name = "${local.prefix}-vm-nsg"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 |
14 | security_rule {
15 | name = "allow_ssh"
16 | priority = 200
17 | direction = "Inbound"
18 | access = "Allow"
19 | protocol = "Tcp"
20 | source_port_range = "*"
21 | destination_port_range = "22"
22 | source_address_prefix = "*"
23 | destination_address_prefix = "*"
24 | }
25 | security_rule {
26 | name = "teradata_in"
27 | priority = 210
28 | direction = "Inbound"
29 | access = "Allow"
30 | protocol = "Tcp"
31 | source_port_range = "*"
32 | destination_port_range = "1025"
33 | source_address_prefix = "*"
34 | destination_address_prefix = "*"
35 | }
36 | security_rule {
37 | name = "teradata_out"
38 | priority = 210
39 | direction = "Outbound"
40 | access = "Allow"
41 | protocol = "Tcp"
42 | source_port_range = "*"
43 | destination_port_range = "1025"
44 | source_address_prefix = "*"
45 | destination_address_prefix = "*"
46 | }
47 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: azurerm_databricks_workspace.this
File: /examples/adb-teradata/workspace.tf:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
1 | resource "azurerm_databricks_workspace" "this" {
2 | name = "${local.prefix}-workspace"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | sku = "premium"
6 | tags = local.tags
7 | customer_managed_key_enabled = true
8 | //infrastructure_encryption_enabled = true
9 | custom_parameters {
10 | no_public_ip = var.no_public_ip
11 | virtual_network_id = azurerm_virtual_network.this.id
12 | private_subnet_name = azurerm_subnet.private.name
13 | public_subnet_name = azurerm_subnet.public.name
14 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
15 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
16 | storage_account_name = local.dbfsname
17 | }
18 | # We need this, otherwise destroy doesn't cleanup things correctly
19 | depends_on = [
20 | azurerm_subnet_network_security_group_association.public,
21 | azurerm_subnet_network_security_group_association.private
22 | ]
23 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled.html
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/enable-trusted-microsoft-services-for-storage-account-access.html
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
Calling File: /examples/adb-unity-catalog-basic-demo/main.tf:56-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
Calling File: /examples/adb-unity-catalog-basic-demo/main.tf:56-64
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
Calling File: /examples/adb-unity-catalog-basic-demo/main.tf:56-64
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
Calling File: /examples/adb-unity-catalog-basic-demo/main.tf:56-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
Calling File: /examples/adb-unity-catalog-basic-demo/main.tf:56-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled.html
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
Calling File: /examples/adb-unity-catalog-basic-demo/main.tf:56-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: azurerm_databricks_workspace.example
File: /examples/adb-vnet-injection/workspace.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
1 | resource "azurerm_databricks_workspace" "example" {
2 | name = "${local.prefix}-workspace"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | sku = "premium"
6 | tags = local.tags
7 |
8 | custom_parameters {
9 | no_public_ip = var.no_public_ip
10 | virtual_network_id = azurerm_virtual_network.this.id
11 | private_subnet_name = azurerm_subnet.private.name
12 | public_subnet_name = azurerm_subnet.public.name
13 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
14 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
15 | storage_account_name = local.dbfsname
16 | }
17 | # We need this, otherwise destroy doesn't cleanup things correctly
18 | depends_on = [
19 | azurerm_subnet_network_security_group_association.public,
20 | azurerm_subnet_network_security_group_association.private
21 | ]
22 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnets[0]
File: /examples/aws-databricks-flat/networks_special.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
13 | resource "aws_subnet" "public_subnets" {
14 | count = length(var.public_subnets_cidr)
15 | vpc_id = aws_vpc.mainvpc.id
16 | cidr_block = var.public_subnets_cidr[count.index]
17 | availability_zone = data.aws_availability_zones.available.names[count.index]
18 | map_public_ip_on_launch = true
19 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.test_sg
File: /examples/aws-databricks-flat/networks_special.tf:56-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group" "test_sg" {
57 | name = "default-security-group-${local.prefix}"
58 | description = "Default security group for ${local.prefix}"
59 | vpc_id = aws_vpc.mainvpc.id
60 |
61 | ingress {
62 | from_port = 0
63 | to_port = 0
64 | protocol = -1
65 | self = true
66 | }
67 |
68 | egress {
69 | from_port = 0
70 | to_port = 0
71 | protocol = "-1"
72 | cidr_blocks = ["0.0.0.0/0"]
73 | }
74 | }
Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
FAILED for resource: aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:13-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-19.html
13 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
14 | bucket = aws_s3_bucket.root_storage_bucket.id
15 | ignore_public_acls = true
16 | depends_on = [aws_s3_bucket.root_storage_bucket]
17 | }
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:13-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
13 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
14 | bucket = aws_s3_bucket.root_storage_bucket.id
15 | ignore_public_acls = true
16 | depends_on = [aws_s3_bucket.root_storage_bucket]
17 | }
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:13-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
13 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
14 | bucket = aws_s3_bucket.root_storage_bucket.id
15 | ignore_public_acls = true
16 | depends_on = [aws_s3_bucket.root_storage_bucket]
17 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.databricks_cmk.aws_iam_policy_document.databricks_managed_services_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/data.tf:1-26
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
1 | data "aws_iam_policy_document" "databricks_managed_services_cmk" {
2 | version = "2012-10-17"
3 | statement {
4 | sid = "Enable IAM User Permissions"
5 | effect = "Allow"
6 | principals {
7 | type = "AWS"
8 | identifiers = [var.cmk_admin]
9 | }
10 | actions = ["kms:*"]
11 | resources = ["*"]
12 | }
13 | statement {
14 | sid = "Allow Databricks to use KMS key for control plane managed services"
15 | effect = "Allow"
16 | principals {
17 | type = "AWS"
18 | identifiers = ["arn:aws:iam::414351767826:root"]
19 | }
20 | actions = [
21 | "kms:Encrypt",
22 | "kms:Decrypt"
23 | ]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.databricks_cmk.aws_iam_policy_document.databricks_managed_services_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/data.tf:1-26
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
1 | data "aws_iam_policy_document" "databricks_managed_services_cmk" {
2 | version = "2012-10-17"
3 | statement {
4 | sid = "Enable IAM User Permissions"
5 | effect = "Allow"
6 | principals {
7 | type = "AWS"
8 | identifiers = [var.cmk_admin]
9 | }
10 | actions = ["kms:*"]
11 | resources = ["*"]
12 | }
13 | statement {
14 | sid = "Allow Databricks to use KMS key for control plane managed services"
15 | effect = "Allow"
16 | principals {
17 | type = "AWS"
18 | identifiers = ["arn:aws:iam::414351767826:root"]
19 | }
20 | actions = [
21 | "kms:Encrypt",
22 | "kms:Decrypt"
23 | ]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.databricks_cmk.aws_iam_policy_document.databricks_managed_services_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/data.tf:1-26
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
1 | data "aws_iam_policy_document" "databricks_managed_services_cmk" {
2 | version = "2012-10-17"
3 | statement {
4 | sid = "Enable IAM User Permissions"
5 | effect = "Allow"
6 | principals {
7 | type = "AWS"
8 | identifiers = [var.cmk_admin]
9 | }
10 | actions = ["kms:*"]
11 | resources = ["*"]
12 | }
13 | statement {
14 | sid = "Allow Databricks to use KMS key for control plane managed services"
15 | effect = "Allow"
16 | principals {
17 | type = "AWS"
18 | identifiers = ["arn:aws:iam::414351767826:root"]
19 | }
20 | actions = [
21 | "kms:Encrypt",
22 | "kms:Decrypt"
23 | ]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.databricks_cmk.aws_iam_policy_document.databricks_storage_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/data.tf:28-95
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.databricks_cmk.aws_iam_policy_document.databricks_storage_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/data.tf:28-95
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.databricks_cmk.aws_iam_policy_document.databricks_storage_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/data.tf:28-95
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: module.databricks_cmk.aws_kms_key.workspace_storage_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/main.tf:1-6
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-8.html
1 | resource "aws_kms_key" "workspace_storage_cmk" {
2 | policy = data.aws_iam_policy_document.databricks_storage_cmk.json
3 | tags = {
4 | Name = "${var.resource_prefix}-${var.region}-ws-cmk"
5 | }
6 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: module.databricks_cmk.aws_kms_key.managed_services_cmk
File: /examples/aws-databricks-modular-privatelink/modules/databricks_cmk/main.tf:13-18
Calling File: /examples/aws-databricks-modular-privatelink/main.tf:20-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-8.html
13 | resource "aws_kms_key" "managed_services_cmk" {
14 | policy = data.aws_iam_policy_document.databricks_managed_services_cmk.json
15 | tags = {
16 | Name = "${var.resource_prefix}-${var.region}-ms-cmk"
17 | }
18 | }
Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:11-15
Calling File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/main.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-19.html
11 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
12 | bucket = aws_s3_bucket.root_storage_bucket.id
13 | ignore_public_acls = true
14 | depends_on = [aws_s3_bucket.root_storage_bucket]
15 | }
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:11-15
Calling File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/main.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
11 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
12 | bucket = aws_s3_bucket.root_storage_bucket.id
13 | ignore_public_acls = true
14 | depends_on = [aws_s3_bucket.root_storage_bucket]
15 | }
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:11-15
Calling File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/main.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
11 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
12 | bucket = aws_s3_bucket.root_storage_bucket.id
13 | ignore_public_acls = true
14 | depends_on = [aws_s3_bucket.root_storage_bucket]
15 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.privatelink
File: /examples/aws-databricks-modular-privatelink/privatelink.tf:42-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
42 | resource "aws_security_group" "privatelink" {
43 | vpc_id = aws_vpc.mainvpc.id
44 |
45 | ingress {
46 | description = "Inbound rules"
47 | from_port = 443
48 | to_port = 443
49 | protocol = "tcp"
50 | security_groups = [aws_security_group.sg.id]
51 | }
52 |
53 | ingress {
54 | description = "Inbound rules"
55 | from_port = 6666
56 | to_port = 6666
57 | protocol = "tcp"
58 | security_groups = [aws_security_group.sg.id]
59 | }
60 |
61 | egress {
62 | description = "Outbound rules"
63 | from_port = 443
64 | to_port = 443
65 | protocol = "tcp"
66 | security_groups = [aws_security_group.sg.id]
67 | }
68 |
69 | egress {
70 | description = "Outbound rules"
71 | from_port = 6666
72 | to_port = 6666
73 | protocol = "tcp"
74 | security_groups = [aws_security_group.sg.id]
75 | }
76 |
77 | tags = {
78 | Name = "${local.prefix}-privatelink-sg"
79 | }
80 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnets[0]
File: /examples/aws-databricks-modular-privatelink/vpc.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "public_subnets" {
15 | count = length(var.public_subnets_cidr)
16 | vpc_id = aws_vpc.mainvpc.id
17 | cidr_block = var.public_subnets_cidr[count.index]
18 | availability_zone = data.aws_availability_zones.available.names[count.index]
19 | map_public_ip_on_launch = true
20 |
21 | tags = merge(var.tags, {
22 | Name = "${local.prefix}-${aws_vpc.mainvpc.id}-public-subnet"
23 | })
24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.sg
File: /examples/aws-databricks-modular-privatelink/vpc.tf:101-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
101 | resource "aws_security_group" "sg" {
102 | vpc_id = aws_vpc.mainvpc.id
103 | depends_on = [aws_vpc.mainvpc]
104 | name = "databricks-vpc-security-group-${local.prefix}"
105 | description = "databricks vpc security group for ${local.prefix}"
106 |
107 | dynamic "ingress" {
108 | for_each = local.sg_ingress_protocol
109 | content {
110 | from_port = 0
111 | to_port = 65535
112 | protocol = ingress.value
113 | self = true
114 | }
115 | }
116 |
117 | dynamic "egress" {
118 | for_each = local.sg_egress_protocol
119 | content {
120 | from_port = 0
121 | to_port = 65535
122 | protocol = egress.value
123 | self = true
124 | }
125 | }
126 |
127 | dynamic "egress" {
128 | for_each = local.sg_egress_ports
129 | content {
130 | from_port = egress.value
131 | to_port = egress.value
132 | protocol = "tcp"
133 | cidr_blocks = ["0.0.0.0/0"]
134 | }
135 | }
136 | tags = {
137 | Name = "${local.prefix}-dataplane-sg"
138 | }
139 | }
Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
FAILED for resource: aws_s3_bucket_public_access_block.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:116-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-19.html
116 | resource "aws_s3_bucket_public_access_block" "external" {
117 | bucket = aws_s3_bucket.external.id
118 | ignore_public_acls = true
119 | depends_on = [aws_s3_bucket.external]
120 | }
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: aws_s3_bucket_public_access_block.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:116-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
116 | resource "aws_s3_bucket_public_access_block" "external" {
117 | bucket = aws_s3_bucket.external.id
118 | ignore_public_acls = true
119 | depends_on = [aws_s3_bucket.external]
120 | }
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: aws_s3_bucket_public_access_block.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:116-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
116 | resource "aws_s3_bucket_public_access_block" "external" {
117 | bucket = aws_s3_bucket.external.id
118 | ignore_public_acls = true
119 | depends_on = [aws_s3_bucket.external]
120 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /examples/aws-remote-backend-infra/main.tf:32-40
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
32 | resource "aws_dynamodb_table" "terraform_locks" {
33 | name = var.dynamodb_table
34 | billing_mode = "PAY_PER_REQUEST"
35 | hash_key = "LockID"
36 | attribute {
37 | name = "LockID"
38 | type = "S"
39 | }
40 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /examples/aws-remote-backend-infra/main.tf:32-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
32 | resource "aws_dynamodb_table" "terraform_locks" {
33 | name = var.dynamodb_table
34 | billing_mode = "PAY_PER_REQUEST"
35 | hash_key = "LockID"
36 | attribute {
37 | name = "LockID"
38 | type = "S"
39 | }
40 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_locks_databricks_project
File: /examples/aws-remote-backend-infra/main.tf:42-50
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
42 | resource "aws_dynamodb_table" "terraform_locks_databricks_project" {
43 | name = var.dynamodb_table_databricks_project
44 | billing_mode = "PAY_PER_REQUEST"
45 | hash_key = "LockID"
46 | attribute {
47 | name = "LockID"
48 | type = "S"
49 | }
50 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_locks_databricks_project
File: /examples/aws-remote-backend-infra/main.tf:42-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
42 | resource "aws_dynamodb_table" "terraform_locks_databricks_project" {
43 | name = var.dynamodb_table_databricks_project
44 | billing_mode = "PAY_PER_REQUEST"
45 | hash_key = "LockID"
46 | attribute {
47 | name = "LockID"
48 | type = "S"
49 | }
50 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.network-with-private-secondary-ip-ranges
File: /examples/gcp-byovpc/vpc.tf:7-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
7 | resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
8 | name = var.subnet_name
9 | ip_cidr_range = var.subnet_ip_cidr_range
10 | region = var.google_region
11 | network = google_compute_network.dbx_private_vpc.id
12 | secondary_ip_range {
13 | range_name = "pods"
14 | ip_cidr_range = var.pod_ip_cidr_range
15 | }
16 | secondary_ip_range {
17 | range_name = "svc"
18 | ip_cidr_range = var.svc_ip_cidr_range
19 | }
20 | private_ip_google_access = true
21 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.network-with-private-secondary-ip-ranges
File: /examples/gcp-byovpc/vpc.tf:7-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
7 | resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
8 | name = var.subnet_name
9 | ip_cidr_range = var.subnet_ip_cidr_range
10 | region = var.google_region
11 | network = google_compute_network.dbx_private_vpc.id
12 | secondary_ip_range {
13 | range_name = "pods"
14 | ip_cidr_range = var.pod_ip_cidr_range
15 | }
16 | secondary_ip_range {
17 | range_name = "svc"
18 | ip_cidr_range = var.svc_ip_cidr_range
19 | }
20 | private_ip_google_access = true
21 | }
Check: CKV_AZURE_219: "Ensure Firewall defines a firewall policy"
FAILED for resource: azurerm_firewall.hubfw
File: /modules/adb-exfiltration-protection/firewall.tf:9-21
9 | resource "azurerm_firewall" "hubfw" {
10 | name = "hubfirewall"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 | sku_name = "AZFW_VNet"
14 | sku_tier = "Standard"
15 |
16 | ip_configuration {
17 | name = "configuration"
18 | subnet_id = azurerm_subnet.hubfw.id
19 | public_ip_address_id = azurerm_public_ip.fwpublicip.id
20 | }
21 | }
Check: CKV_AZURE_216: "Ensure DenyIntelMode is set to Deny for Azure Firewalls"
FAILED for resource: azurerm_firewall.hubfw
File: /modules/adb-exfiltration-protection/firewall.tf:9-21
9 | resource "azurerm_firewall" "hubfw" {
10 | name = "hubfirewall"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 | sku_name = "AZFW_VNet"
14 | sku_tier = "Standard"
15 |
16 | ip_configuration {
17 | name = "configuration"
18 | subnet_id = azurerm_subnet.hubfw.id
19 | public_ip_address_id = azurerm_public_ip.fwpublicip.id
20 | }
21 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: azurerm_databricks_workspace.this
File: /modules/adb-exfiltration-protection/workspace.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
1 | resource "azurerm_databricks_workspace" "this" {
2 | name = "${local.prefix}-workspace"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | sku = "premium"
6 | tags = local.tags
7 | //infrastructure_encryption_enabled = true
8 | custom_parameters {
9 | no_public_ip = var.no_public_ip
10 | virtual_network_id = azurerm_virtual_network.this.id
11 | private_subnet_name = azurerm_subnet.private.name
12 | public_subnet_name = azurerm_subnet.public.name
13 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
14 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
15 | storage_account_name = local.dbfsname
16 | }
17 | # We need this, otherwise destroy doesn't cleanup things correctly
18 | depends_on = [
19 | azurerm_subnet_network_security_group_association.public,
20 | azurerm_subnet_network_security_group_association.private
21 | ]
22 | }
Check: CKV_AZURE_104: "Ensure that Azure Data factory public network access is disabled"
FAILED for resource: module.adb-lakehouse.azurerm_data_factory.adf[0]
File: /modules/adb-lakehouse/azure_data_factory.tf:1-8
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-data-factory-public-network-access-is-disabled.html
1 | resource "azurerm_data_factory" "adf" {
2 | count = var.data_factory_name != "" ? 1 : 0
3 |
4 | name = var.data_factory_name
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.this.name
7 | tags = var.tags
8 | }
Check: CKV_AZURE_103: "Ensure that Azure Data Factory uses Git repository for source control"
FAILED for resource: module.adb-lakehouse.azurerm_data_factory.adf[0]
File: /modules/adb-lakehouse/azure_data_factory.tf:1-8
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-azure-data-factory-uses-git-repository-for-source-control.html
1 | resource "azurerm_data_factory" "adf" {
2 | count = var.data_factory_name != "" ? 1 : 0
3 |
4 | name = var.data_factory_name
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.this.name
7 | tags = var.tags
8 | }
Check: CKV_AZURE_109: "Ensure that key vault allows firewall rules settings"
FAILED for resource: module.adb-lakehouse.azurerm_key_vault.example
File: /modules/adb-lakehouse/key_vault.tf:1-11
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-key-vault-allows-firewall-rules-settings.html
1 | resource "azurerm_key_vault" "example" {
2 | name = var.key_vault_name
3 | location = var.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | tags = var.tags
11 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.adb-lakehouse.azurerm_key_vault.example
File: /modules/adb-lakehouse/key_vault.tf:1-11
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
1 | resource "azurerm_key_vault" "example" {
2 | name = var.key_vault_name
3 | location = var.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | tags = var.tags
11 | }
Check: CKV_AZURE_189: "Ensure that Azure Key Vault disables public network access"
FAILED for resource: module.adb-lakehouse.azurerm_key_vault.example
File: /modules/adb-lakehouse/key_vault.tf:1-11
Calling File: /examples/adb-lakehouse/main.tf:1-19
1 | resource "azurerm_key_vault" "example" {
2 | name = var.key_vault_name
3 | location = var.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | tags = var.tags
11 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.adb-lakehouse.azurerm_key_vault.example
File: /modules/adb-lakehouse/key_vault.tf:1-11
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
1 | resource "azurerm_key_vault" "example" {
2 | name = var.key_vault_name
3 | location = var.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | tags = var.tags
11 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:16-24
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
16 | resource "azurerm_storage_account" "unity_catalog" {
17 | name = var.metastore_storage_name
18 | location = azurerm_resource_group.shared_resource_group.location
19 | resource_group_name = var.shared_resource_group_name
20 | tags = var.tags
21 | account_tier = "Standard"
22 | account_replication_type = "GRS"
23 | is_hns_enabled = true
24 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:16-24
Calling File: /examples/adb-lakehouse/main.tf:1-19
16 | resource "azurerm_storage_account" "unity_catalog" {
17 | name = var.metastore_storage_name
18 | location = azurerm_resource_group.shared_resource_group.location
19 | resource_group_name = var.shared_resource_group_name
20 | tags = var.tags
21 | account_tier = "Standard"
22 | account_replication_type = "GRS"
23 | is_hns_enabled = true
24 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:16-24
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
16 | resource "azurerm_storage_account" "unity_catalog" {
17 | name = var.metastore_storage_name
18 | location = azurerm_resource_group.shared_resource_group.location
19 | resource_group_name = var.shared_resource_group_name
20 | tags = var.tags
21 | account_tier = "Standard"
22 | account_replication_type = "GRS"
23 | is_hns_enabled = true
24 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:16-24
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
16 | resource "azurerm_storage_account" "unity_catalog" {
17 | name = var.metastore_storage_name
18 | location = azurerm_resource_group.shared_resource_group.location
19 | resource_group_name = var.shared_resource_group_name
20 | tags = var.tags
21 | account_tier = "Standard"
22 | account_replication_type = "GRS"
23 | is_hns_enabled = true
24 | }
Check: CKV_AZURE_158: "Ensure that databricks workspace has not public"
FAILED for resource: module.adb-lakehouse.azurerm_databricks_workspace.this
File: /modules/adb-lakehouse/vnet_injected_databricks_workspace.tf:63-80
Calling File: /examples/adb-lakehouse/main.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-databricks-workspace-is-not-public.html
63 | resource "azurerm_databricks_workspace" "this" {
64 | name = var.databricks_workspace_name
65 | resource_group_name = var.spoke_resource_group_name
66 | managed_resource_group_name = var.managed_resource_group_name
67 | location = var.location
68 | sku = "premium"
69 |
70 | custom_parameters {
71 | no_public_ip = true
72 | virtual_network_id = azurerm_virtual_network.this.id
73 | private_subnet_name = azurerm_subnet.private.name
74 | public_subnet_name = azurerm_subnet.public.name
75 | private_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.private.id
76 | public_subnet_network_security_group_association_id = azurerm_subnet_network_security_group_association.public.id
77 | }
78 |
79 | tags = var.tags
80 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_windows_virtual_machine.testvm
File: /modules/adb-with-private-link-standard/testvm_transit.tf:69-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
69 | resource "azurerm_windows_virtual_machine" "testvm" {
70 | name = "${local.prefix}vm"
71 | resource_group_name = azurerm_resource_group.transit_rg.name
72 | location = azurerm_resource_group.transit_rg.location
73 | size = "Standard_F4s_v2"
74 | admin_username = "azureuser"
75 | admin_password = "T${random_string.password.result}!!"
76 | network_interface_ids = [
77 | azurerm_network_interface.testvmnic.id,
78 | ]
79 |
80 | os_disk {
81 | caching = "ReadWrite"
82 | storage_account_type = "Standard_LRS"
83 | }
84 |
85 | source_image_reference {
86 | publisher = "MicrosoftWindowsDesktop"
87 | offer = "windows-10"
88 | sku = "19h2-pro-g2"
89 | version = "latest"
90 | }
91 | }
Check: CKV_AZURE_151: "Ensure Windows VM enables encryption"
FAILED for resource: azurerm_windows_virtual_machine.testvm
File: /modules/adb-with-private-link-standard/testvm_transit.tf:69-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-windows-vm-enables-encryption.html
69 | resource "azurerm_windows_virtual_machine" "testvm" {
70 | name = "${local.prefix}vm"
71 | resource_group_name = azurerm_resource_group.transit_rg.name
72 | location = azurerm_resource_group.transit_rg.location
73 | size = "Standard_F4s_v2"
74 | admin_username = "azureuser"
75 | admin_password = "T${random_string.password.result}!!"
76 | network_interface_ids = [
77 | azurerm_network_interface.testvmnic.id,
78 | ]
79 |
80 | os_disk {
81 | caching = "ReadWrite"
82 | storage_account_type = "Standard_LRS"
83 | }
84 |
85 | source_image_reference {
86 | publisher = "MicrosoftWindowsDesktop"
87 | offer = "windows-10"
88 | sku = "19h2-pro-g2"
89 | version = "latest"
90 | }
91 | }
Check: CKV_AZURE_219: "Ensure Firewall defines a firewall policy"
FAILED for resource: azurerm_firewall.hubfw
File: /modules/adb-with-private-links-exfiltration-protection/firewall.tf:9-21
9 | resource "azurerm_firewall" "hubfw" {
10 | name = "hubfirewall"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 | sku_name = "AZFW_VNet"
14 | sku_tier = "Standard"
15 |
16 | ip_configuration {
17 | name = "configuration"
18 | subnet_id = azurerm_subnet.hubfw.id
19 | public_ip_address_id = azurerm_public_ip.fwpublicip.id
20 | }
21 | }
Check: CKV_AZURE_216: "Ensure DenyIntelMode is set to Deny for Azure Firewalls"
FAILED for resource: azurerm_firewall.hubfw
File: /modules/adb-with-private-links-exfiltration-protection/firewall.tf:9-21
9 | resource "azurerm_firewall" "hubfw" {
10 | name = "hubfirewall"
11 | location = azurerm_resource_group.this.location
12 | resource_group_name = azurerm_resource_group.this.name
13 | sku_name = "AZFW_VNet"
14 | sku_tier = "Standard"
15 |
16 | ip_configuration {
17 | name = "configuration"
18 | subnet_id = azurerm_subnet.hubfw.id
19 | public_ip_address_id = azurerm_public_ip.fwpublicip.id
20 | }
21 | }
Check: CKV_AZURE_50: "Ensure Virtual Machine Extensions are not Installed"
FAILED for resource: azurerm_windows_virtual_machine.testvm
File: /modules/adb-with-private-links-exfiltration-protection/testvm.tf:69-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-14.html
69 | resource "azurerm_windows_virtual_machine" "testvm" {
70 | name = "${local.prefix}-test"
71 | resource_group_name = azurerm_resource_group.this.name
72 | location = azurerm_resource_group.this.location
73 | size = "Standard_F4s_v2"
74 | admin_username = "azureuser"
75 | admin_password = var.test_vm_password
76 | network_interface_ids = [
77 | azurerm_network_interface.testvmnic.id,
78 | ]
79 |
80 | os_disk {
81 | caching = "ReadWrite"
82 | storage_account_type = "Standard_LRS"
83 | }
84 |
85 | source_image_reference {
86 | publisher = "MicrosoftWindowsDesktop"
87 | offer = "windows-10"
88 | sku = "19h2-pro-g2"
89 | version = "latest"
90 | }
91 | }
Check: CKV_AZURE_151: "Ensure Windows VM enables encryption"
FAILED for resource: azurerm_windows_virtual_machine.testvm
File: /modules/adb-with-private-links-exfiltration-protection/testvm.tf:69-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-windows-vm-enables-encryption.html
69 | resource "azurerm_windows_virtual_machine" "testvm" {
70 | name = "${local.prefix}-test"
71 | resource_group_name = azurerm_resource_group.this.name
72 | location = azurerm_resource_group.this.location
73 | size = "Standard_F4s_v2"
74 | admin_username = "azureuser"
75 | admin_password = var.test_vm_password
76 | network_interface_ids = [
77 | azurerm_network_interface.testvmnic.id,
78 | ]
79 |
80 | os_disk {
81 | caching = "ReadWrite"
82 | storage_account_type = "Standard_LRS"
83 | }
84 |
85 | source_image_reference {
86 | publisher = "MicrosoftWindowsDesktop"
87 | offer = "windows-10"
88 | sku = "19h2-pro-g2"
89 | version = "latest"
90 | }
91 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_rule_group.databricks_fqdns_rg
File: /modules/aws-exfiltration-protection/firewall.tf:1-23
1 | resource "aws_networkfirewall_rule_group" "databricks_fqdns_rg" {
2 | capacity = 100
3 | name = "${local.prefix}-databricks-fqdns-rg"
4 | type = "STATEFUL"
5 | rule_group {
6 | rules_source {
7 | rules_source_list {
8 | generated_rules_type = "ALLOWLIST"
9 | target_types = ["TLS_SNI", "HTTP_HOST"]
10 | targets = concat([var.db_web_app, var.db_tunnel, var.db_rds, local.db_root_bucket], var.whitelisted_urls)
11 | }
12 | }
13 | rule_variables {
14 | ip_sets {
15 | key = "HOME_NET"
16 | ip_set {
17 | definition = [var.spoke_cidr_block, var.hub_cidr_block]
18 | }
19 | }
20 | }
21 | }
22 | tags = var.tags
23 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_rule_group.allow_db_cpl_protocols_rg
File: /modules/aws-exfiltration-protection/firewall.tf:25-60
25 | resource "aws_networkfirewall_rule_group" "allow_db_cpl_protocols_rg" {
26 | capacity = 100
27 | description = "Allows control plane traffic traffic from source"
28 | name = "${local.prefix}-allow-db-cpl-protocols-rg"
29 | type = "STATEFUL"
30 | rule_group {
31 | rule_variables {
32 | ip_sets {
33 | key = "HOME_NET"
34 | ip_set {
35 | definition = [var.spoke_cidr_block, var.hub_cidr_block]
36 | }
37 | }
38 | }
39 | rules_source {
40 | dynamic "stateful_rule" {
41 | for_each = local.protocols_control_plane
42 | content {
43 | action = "PASS"
44 | header {
45 | destination = var.db_control_plane
46 | destination_port = "443"
47 | protocol = stateful_rule.value
48 | direction = "ANY"
49 | source_port = "ANY"
50 | source = "ANY"
51 | }
52 | rule_option {
53 | keyword = "sid:${stateful_rule.key + 1}"
54 | }
55 | }
56 | }
57 | }
58 | }
59 | tags = var.tags
60 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_rule_group.deny_protocols_rg
File: /modules/aws-exfiltration-protection/firewall.tf:62-98
62 | resource "aws_networkfirewall_rule_group" "deny_protocols_rg" {
63 | capacity = 100
64 | description = "Drops FTP,ICMP, SSH traffic from source"
65 | name = "${local.prefix}-deny-protocols-rg"
66 | type = "STATEFUL"
67 | rule_group {
68 | rule_variables {
69 | ip_sets {
70 | key = "HOME_NET"
71 | ip_set {
72 | definition = [var.spoke_cidr_block, var.hub_cidr_block]
73 | }
74 | }
75 | }
76 | rules_source {
77 | dynamic "stateful_rule" {
78 | for_each = local.protocols
79 | content {
80 | action = "DROP"
81 | header {
82 | destination = "ANY"
83 | destination_port = "ANY"
84 | protocol = stateful_rule.value
85 | direction = "ANY"
86 | source_port = "ANY"
87 | source = "ANY"
88 | }
89 | rule_option {
90 | keyword = "sid:${stateful_rule.key + 1}"
91 | }
92 | }
93 | }
94 | }
95 | }
96 |
97 | tags = var.tags
98 | }
Check: CKV_AWS_346: "Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)"
FAILED for resource: aws_networkfirewall_firewall_policy.egress_policy
File: /modules/aws-exfiltration-protection/firewall.tf:100-116
100 | resource "aws_networkfirewall_firewall_policy" "egress_policy" {
101 | name = "${local.prefix}-egress-policy"
102 | firewall_policy {
103 | stateless_default_actions = ["aws:forward_to_sfe"]
104 | stateless_fragment_default_actions = ["aws:forward_to_sfe"]
105 | stateful_rule_group_reference {
106 | resource_arn = aws_networkfirewall_rule_group.databricks_fqdns_rg.arn
107 | }
108 | stateful_rule_group_reference {
109 | resource_arn = aws_networkfirewall_rule_group.deny_protocols_rg.arn
110 | }
111 | stateful_rule_group_reference {
112 | resource_arn = aws_networkfirewall_rule_group.allow_db_cpl_protocols_rg.arn
113 | }
114 | }
115 | tags = var.tags
116 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_firewall.exfiltration_firewall
File: /modules/aws-exfiltration-protection/firewall.tf:118-129
118 | resource "aws_networkfirewall_firewall" "exfiltration_firewall" {
119 | name = "${local.prefix}-fw"
120 | firewall_policy_arn = aws_networkfirewall_firewall_policy.egress_policy.arn
121 | vpc_id = aws_vpc.hub_vpc.id
122 | dynamic "subnet_mapping" {
123 | for_each = aws_subnet.hub_firewall_subnet[*].id
124 | content {
125 | subnet_id = subnet_mapping.value
126 | }
127 | }
128 | tags = var.tags
129 | }
Check: CKV_AWS_344: "Ensure that Network firewalls have deletion protection enabled"
FAILED for resource: aws_networkfirewall_firewall.exfiltration_firewall
File: /modules/aws-exfiltration-protection/firewall.tf:118-129
118 | resource "aws_networkfirewall_firewall" "exfiltration_firewall" {
119 | name = "${local.prefix}-fw"
120 | firewall_policy_arn = aws_networkfirewall_firewall_policy.egress_policy.arn
121 | vpc_id = aws_vpc.hub_vpc.id
122 | dynamic "subnet_mapping" {
123 | for_each = aws_subnet.hub_firewall_subnet[*].id
124 | content {
125 | subnet_id = subnet_mapping.value
126 | }
127 | }
128 | tags = var.tags
129 | }
Check: CKV_AWS_331: "Ensure Transit Gateways do not automatically accept VPC attachment requests"
FAILED for resource: aws_ec2_transit_gateway.tgw
File: /modules/aws-exfiltration-protection/transit_gateway.tf:1-9
1 | resource "aws_ec2_transit_gateway" "tgw" {
2 | description = "Transit Gateway for Hub/Spoke"
3 | auto_accept_shared_attachments = "enable"
4 | default_route_table_association = "enable"
5 | default_route_table_propagation = "enable"
6 | tags = merge(var.tags, {
7 | Name = "${local.prefix}-tgw"
8 | })
9 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.hub_nat_public_subnet[0]
File: /modules/aws-exfiltration-protection/vpc_hub.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "hub_nat_public_subnet" {
22 | vpc_id = aws_vpc.hub_vpc.id
23 | count = length(local.hub_nat_public_subnets_cidr)
24 | cidr_block = element(local.hub_nat_public_subnets_cidr, count.index)
25 | availability_zone = element(local.availability_zones, count.index)
26 | map_public_ip_on_launch = true
27 | tags = merge(var.tags, {
28 | Name = "${local.prefix}-hub-nat-public-${element(local.availability_zones, count.index)}"
29 | })
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.default_spoke_sg
File: /modules/aws-exfiltration-protection/vpc_spoke.tf:50-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group" "default_spoke_sg" {
51 | name = "${local.prefix}-default_spoke_sg"
52 | description = "Default security group to allow inbound/outbound from the VPC"
53 | vpc_id = aws_vpc.spoke_vpc.id
54 | depends_on = [aws_vpc.spoke_vpc]
55 |
56 | dynamic "ingress" {
57 | for_each = local.sg_ingress_protocol
58 | content {
59 | from_port = 0
60 | to_port = 65535
61 | protocol = ingress.value
62 | self = true
63 | }
64 | }
65 |
66 | dynamic "egress" {
67 | for_each = local.sg_egress_protocol
68 | content {
69 | from_port = 0
70 | to_port = 65535
71 | protocol = egress.value
72 | self = true
73 | }
74 | }
75 |
76 | dynamic "egress" {
77 | for_each = local.sg_egress_ports
78 | content {
79 | from_port = egress.value
80 | to_port = egress.value
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | }
85 |
86 | tags = var.tags
87 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_rule_group.databricks_fqdns_rg
File: /modules/aws-workspace-with-firewall/firewall.tf:12-34
12 | resource "aws_networkfirewall_rule_group" "databricks_fqdns_rg" {
13 | capacity = 100
14 | name = "${local.prefix}-databricks-fqdns-rg"
15 | type = "STATEFUL"
16 | rule_group {
17 | rules_source {
18 | rules_source_list {
19 | generated_rules_type = "ALLOWLIST"
20 | target_types = ["TLS_SNI", "HTTP_HOST"]
21 | targets = concat([var.db_web_app, var.db_tunnel, var.db_rds, local.db_root_bucket], var.whitelisted_urls)
22 | }
23 | }
24 | rule_variables {
25 | ip_sets {
26 | key = "HOME_NET"
27 | ip_set {
28 | definition = [var.cidr_block]
29 | }
30 | }
31 | }
32 | }
33 | tags = var.tags
34 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_rule_group.allow_db_cpl_protocols_rg
File: /modules/aws-workspace-with-firewall/firewall.tf:36-72
36 | resource "aws_networkfirewall_rule_group" "allow_db_cpl_protocols_rg" {
37 | capacity = 100
38 | description = "Allows control plane traffic from source"
39 | name = "${local.prefix}-allow-db-cpl-protocols-rg"
40 | type = "STATEFUL"
41 | rule_group {
42 | rule_variables {
43 | ip_sets {
44 | key = "HOME_NET"
45 | ip_set {
46 | definition = [var.cidr_block]
47 | }
48 | }
49 | }
50 | rules_source {
51 | dynamic "stateful_rule" {
52 | for_each = local.protocols_control_plane
53 | content {
54 | action = "PASS"
55 | header {
56 | destination = var.db_control_plane
57 | destination_port = "443"
58 | protocol = stateful_rule.value
59 | direction = "ANY"
60 | source_port = "ANY"
61 | source = "ANY"
62 | }
63 | rule_option {
64 | keyword = "sid:${stateful_rule.key + 1}"
65 | }
66 | }
67 | }
68 | }
69 | }
70 |
71 | tags = var.tags
72 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_rule_group.deny_protocols_rg
File: /modules/aws-workspace-with-firewall/firewall.tf:74-110
74 | resource "aws_networkfirewall_rule_group" "deny_protocols_rg" {
75 | capacity = 100
76 | description = "Drops FTP,ICMP, SSH traffic from source"
77 | name = "${local.prefix}-deny-protocols-rg"
78 | type = "STATEFUL"
79 | rule_group {
80 | rule_variables {
81 | ip_sets {
82 | key = "HOME_NET"
83 | ip_set {
84 | definition = [var.cidr_block]
85 | }
86 | }
87 | }
88 | rules_source {
89 | dynamic "stateful_rule" {
90 | for_each = local.protocols
91 | content {
92 | action = "DROP"
93 | header {
94 | destination = "ANY"
95 | destination_port = "ANY"
96 | protocol = stateful_rule.value
97 | direction = "ANY"
98 | source_port = "ANY"
99 | source = "ANY"
100 | }
101 | rule_option {
102 | keyword = "sid:${stateful_rule.key + 1}"
103 | }
104 | }
105 | }
106 | }
107 | }
108 |
109 | tags = var.tags
110 | }
Check: CKV_AWS_346: "Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)"
FAILED for resource: aws_networkfirewall_firewall_policy.egress_policy
File: /modules/aws-workspace-with-firewall/firewall.tf:112-128
112 | resource "aws_networkfirewall_firewall_policy" "egress_policy" {
113 | name = "${local.prefix}-egress-policy"
114 | firewall_policy {
115 | stateless_default_actions = ["aws:forward_to_sfe"]
116 | stateless_fragment_default_actions = ["aws:forward_to_sfe"]
117 | stateful_rule_group_reference {
118 | resource_arn = aws_networkfirewall_rule_group.databricks_fqdns_rg.arn
119 | }
120 | stateful_rule_group_reference {
121 | resource_arn = aws_networkfirewall_rule_group.deny_protocols_rg.arn
122 | }
123 | stateful_rule_group_reference {
124 | resource_arn = aws_networkfirewall_rule_group.allow_db_cpl_protocols_rg.arn
125 | }
126 | }
127 | tags = var.tags
128 | }
Check: CKV_AWS_345: "Ensure that Network firewall encryption is via a CMK"
FAILED for resource: aws_networkfirewall_firewall.exfiltration_firewall
File: /modules/aws-workspace-with-firewall/firewall.tf:130-141
130 | resource "aws_networkfirewall_firewall" "exfiltration_firewall" {
131 | name = "${local.prefix}-fw"
132 | firewall_policy_arn = aws_networkfirewall_firewall_policy.egress_policy.arn
133 | vpc_id = aws_vpc.db_vpc.id
134 | dynamic "subnet_mapping" {
135 | for_each = aws_subnet.db_firewall_subnet[*].id
136 | content {
137 | subnet_id = subnet_mapping.value
138 | }
139 | }
140 | tags = var.tags
141 | }
Check: CKV_AWS_344: "Ensure that Network firewalls have deletion protection enabled"
FAILED for resource: aws_networkfirewall_firewall.exfiltration_firewall
File: /modules/aws-workspace-with-firewall/firewall.tf:130-141
130 | resource "aws_networkfirewall_firewall" "exfiltration_firewall" {
131 | name = "${local.prefix}-fw"
132 | firewall_policy_arn = aws_networkfirewall_firewall_policy.egress_policy.arn
133 | vpc_id = aws_vpc.db_vpc.id
134 | dynamic "subnet_mapping" {
135 | for_each = aws_subnet.db_firewall_subnet[*].id
136 | content {
137 | subnet_id = subnet_mapping.value
138 | }
139 | }
140 | tags = var.tags
141 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.db_nat_public_subnet
File: /modules/aws-workspace-with-firewall/gateway.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
1 | resource "aws_subnet" "db_nat_public_subnet" {
2 | vpc_id = aws_vpc.db_vpc.id
3 | count = length(local.nat_public_subnets_cidr)
4 | cidr_block = element(local.nat_public_subnets_cidr, count.index)
5 | availability_zone = element(local.availability_zones, count.index)
6 | map_public_ip_on_launch = true
7 | tags = merge(var.tags, {
8 | Name = "${local.prefix}-db-nat-public-${element(local.availability_zones, count.index)}"
9 | })
10 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.default_sg
File: /modules/aws-workspace-with-firewall/security_group.tf:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "default_sg" {
2 | name = "${local.prefix}-default-sg"
3 | description = "Default security group to allow inbound/outbound from the VPC"
4 | vpc_id = aws_vpc.db_vpc.id
5 | depends_on = [aws_vpc.db_vpc]
6 |
7 | dynamic "ingress" {
8 | for_each = local.sg_ingress_protocol
9 | content {
10 | from_port = 0
11 | to_port = 65535
12 | protocol = ingress.value
13 | self = true
14 | }
15 | }
16 |
17 | dynamic "egress" {
18 | for_each = local.sg_egress_protocol
19 | content {
20 | from_port = 0
21 | to_port = 65535
22 | protocol = egress.value
23 | self = true
24 | }
25 | }
26 |
27 | dynamic "egress" {
28 | for_each = local.sg_egress_ports
29 | content {
30 | from_port = egress.value
31 | to_port = egress.value
32 | protocol = "tcp"
33 | cidr_blocks = ["0.0.0.0/0"]
34 | }
35 | }
36 |
37 | tags = var.tags
38 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.network-with-private-secondary-ip-ranges
File: /modules/gcp-workspace-byovpc/vpc.tf:7-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
7 | resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
8 | name = var.subnet_name
9 | ip_cidr_range = var.subnet_ip_cidr_range
10 | region = var.google_region
11 | network = google_compute_network.dbx_private_vpc.id
12 | secondary_ip_range {
13 | range_name = "pods"
14 | ip_cidr_range = var.pod_ip_cidr_range
15 | }
16 | secondary_ip_range {
17 | range_name = "svc"
18 | ip_cidr_range = var.svc_ip_cidr_range
19 | }
20 | private_ip_google_access = true
21 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.network-with-private-secondary-ip-ranges
File: /modules/gcp-workspace-byovpc/vpc.tf:7-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
7 | resource "google_compute_subnetwork" "network-with-private-secondary-ip-ranges" {
8 | name = var.subnet_name
9 | ip_cidr_range = var.subnet_ip_cidr_range
10 | region = var.google_region
11 | network = google_compute_network.dbx_private_vpc.id
12 | secondary_ip_range {
13 | range_name = "pods"
14 | ip_cidr_range = var.pod_ip_cidr_range
15 | }
16 | secondary_ip_range {
17 | range_name = "svc"
18 | ip_cidr_range = var.svc_ip_cidr_range
19 | }
20 | private_ip_google_access = true
21 | }
Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:11-15
Calling File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/main.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-19.html
11 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
12 | bucket = aws_s3_bucket.root_storage_bucket.id
13 | ignore_public_acls = true
14 | depends_on = [aws_s3_bucket.root_storage_bucket]
15 | }
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:11-15
Calling File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/main.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
11 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
12 | bucket = aws_s3_bucket.root_storage_bucket.id
13 | ignore_public_acls = true
14 | depends_on = [aws_s3_bucket.root_storage_bucket]
15 | }
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket_public_access_block.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:11-15
Calling File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/main.tf:15-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
11 | resource "aws_s3_bucket_public_access_block" "root_storage_bucket" {
12 | bucket = aws_s3_bucket.root_storage_bucket.id
13 | ignore_public_acls = true
14 | depends_on = [aws_s3_bucket.root_storage_bucket]
15 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.dls
File: /modules/adb-lakehouse/storage.tf:1-10
1 | resource "azurerm_storage_account" "dls" {
2 | count = length(var.storage_account_names)
3 | name = "dls${var.storage_account_names[count.index]}${var.environment_name}"
4 | location = var.location
5 | resource_group_name = var.spoke_resource_group_name
6 | account_tier = "Standard"
7 | account_replication_type = "GRS"
8 | tags = var.tags
9 | is_hns_enabled = true
10 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:16-24
16 | resource "azurerm_storage_account" "unity_catalog" {
17 | name = var.metastore_storage_name
18 | location = azurerm_resource_group.shared_resource_group.location
19 | resource_group_name = var.shared_resource_group_name
20 | tags = var.tags
21 | account_tier = "Standard"
22 | account_replication_type = "GRS"
23 | is_hns_enabled = true
24 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.adls_content.azurerm_storage_container.example_container
File: /examples/adb-splunk/modules/adls_content/main.tf:36-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
36 | resource "azurerm_storage_container" "example_container" {
37 | name = "cnt1"
38 | storage_account_name = azurerm_storage_account.personaldropbox.name
39 | container_access_type = "container" // for anonymous read container from public
40 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:28-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
28 | resource "azurerm_storage_container" "unity_catalog" {
29 | name = "${local.prefix}metastorecontainer"
30 | storage_account_name = azurerm_storage_account.unity_catalog.name
31 | container_access_type = "private"
32 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.dev_catalog
File: /examples/adb-unity-catalog-basic-demo/main.tf:111-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
111 | resource "azurerm_storage_container" "dev_catalog" {
112 | name = "dev-catalog"
113 | storage_account_name = module.metastore_and_users.azurerm_storage_account_unity_catalog.name
114 | container_access_type = "private"
115 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.metastore_and_users.azurerm_storage_container.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:59-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
59 | resource "azurerm_storage_container" "unity_catalog" {
60 | name = "${local.prefix}-container"
61 | storage_account_name = azurerm_storage_account.unity_catalog.name
62 | container_access_type = "private"
63 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.adb-lakehouse.azurerm_storage_container.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:26-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
26 | resource "azurerm_storage_container" "unity_catalog" {
27 | name = "${var.metastore_storage_name}-container"
28 | storage_account_name = azurerm_storage_account.unity_catalog.name
29 | container_access_type = "private"
30 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.kafka_broker.azurerm_network_interface.general-nic
File: /examples/adb-kafka/modules/general_vm/main.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
1 | resource "azurerm_network_interface" "general-nic" {
2 | name = "${var.vm_name}-nic"
3 | location = var.region
4 | resource_group_name = var.resource_group_name
5 |
6 | ip_configuration {
7 | name = "internal"
8 | subnet_id = var.subnet_id
9 | private_ip_address_allocation = "Dynamic"
10 | public_ip_address_id = azurerm_public_ip.general-nic-pubip.id
11 | }
12 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.splunk-nic
File: /examples/adb-splunk/splunkvm.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
1 | resource "azurerm_network_interface" "splunk-nic" {
2 | name = "splunk-nic"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 |
6 | ip_configuration {
7 | name = "internal"
8 | subnet_id = azurerm_subnet.splunksubnet.id
9 | private_ip_address_allocation = "Dynamic"
10 | public_ip_address_id = azurerm_public_ip.splunk-nic-pubip.id
11 | }
12 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.squid-nic
File: /examples/adb-squid-proxy/main/squid.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
1 | resource "azurerm_network_interface" "squid-nic" {
2 | name = "squid-nic"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 |
6 | ip_configuration {
7 | name = "internal"
8 | subnet_id = azurerm_subnet.squid-public-subnet.id
9 | private_ip_address_allocation = "Dynamic"
10 | public_ip_address_id = azurerm_public_ip.squid-nic-pubip.id
11 | }
12 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.jumpbox
File: /examples/adb-squid-proxy/modules/vm/main.tf:169-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
169 | resource "azurerm_network_interface" "jumpbox" {
170 | name = "jumpbox-nic"
171 | location = var.location
172 | resource_group_name = azurerm_resource_group.vmss.name
173 |
174 | ip_configuration {
175 | name = "IPConfiguration"
176 | subnet_id = azurerm_subnet.vmss.id
177 | private_ip_address_allocation = "dynamic"
178 | public_ip_address_id = azurerm_public_ip.jumpbox.id
179 | }
180 |
181 | tags = var.tags
182 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: module.test_vm_instance.azurerm_network_interface.teradata-nic
File: /examples/adb-teradata/modules/teradata_vm/main.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
1 | resource "azurerm_network_interface" "teradata-nic" {
2 | name = "${var.naming_prefix}-teradatanic"
3 | location = var.region
4 | resource_group_name = var.resource_group_name
5 |
6 | ip_configuration {
7 | name = "internal"
8 | subnet_id = var.subnet_id
9 | private_ip_address_allocation = "Dynamic"
10 | public_ip_address_id = azurerm_public_ip.teradata-nic-pubip.id
11 | }
12 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.testvmnic
File: /modules/adb-with-private-link-standard/testvm_transit.tf:7-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
7 | resource "azurerm_network_interface" "testvmnic" {
8 | name = "${local.prefix}-testvm-nic"
9 | location = azurerm_resource_group.transit_rg.location
10 | resource_group_name = azurerm_resource_group.transit_rg.name
11 |
12 | ip_configuration {
13 | name = "testvmip"
14 | subnet_id = azurerm_subnet.testvmsubnet.id
15 | private_ip_address_allocation = "Dynamic"
16 | public_ip_address_id = azurerm_public_ip.testvmpublicip.id
17 | }
18 | }
Check: CKV_AZURE_119: "Ensure that Network Interfaces don't use public IPs"
FAILED for resource: azurerm_network_interface.testvmnic
File: /modules/adb-with-private-links-exfiltration-protection/testvm.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-network-interfaces-dont-use-public-ips.html
1 | resource "azurerm_network_interface" "testvmnic" {
2 | name = "${local.prefix}-testvm-nic"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 |
6 | ip_configuration {
7 | name = "testvmip"
8 | subnet_id = azurerm_subnet.testvmsubnet.id
9 | private_ip_address_allocation = "Dynamic"
10 | public_ip_address_id = azurerm_public_ip.testvmpublicip.id
11 | }
12 | }
Check: CKV2_AZURE_15: "Ensure that Azure data factories are encrypted with a customer-managed key"
FAILED for resource: module.adb-lakehouse.azurerm_data_factory.adf[0]
File: /modules/adb-lakehouse/azure_data_factory.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-azure-data-factories-are-encrypted-with-a-customer-managed-key.html
1 | resource "azurerm_data_factory" "adf" {
2 | count = var.data_factory_name != "" ? 1 : 0
3 |
4 | name = var.data_factory_name
5 | location = var.location
6 | resource_group_name = azurerm_resource_group.this.name
7 | tags = var.tags
8 | }
Check: CKV2_AZURE_27: "Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)"
FAILED for resource: azurerm_mssql_server.metastoreserver
File: /examples/adb-external-hive-metastore/sqlserver.tf:9-17
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/azr-general-85
9 | resource "azurerm_mssql_server" "metastoreserver" {
10 | name = "${random_string.naming.result}mssqlserver"
11 | resource_group_name = azurerm_resource_group.this.name
12 | location = azurerm_resource_group.this.location
13 | version = "12.0"
14 | administrator_login = var.db_username // sensitive data stored as env variables locally
15 | administrator_login_password = var.db_password
16 | public_network_access_enabled = true // consider to disable public access to the server, to set as false
17 | }
Check: CKV_AZURE_24: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
FAILED for resource: azurerm_mssql_server.metastoreserver
File: /examples/adb-external-hive-metastore/sqlserver.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/bc-azr-logging-3.html
9 | resource "azurerm_mssql_server" "metastoreserver" {
10 | name = "${random_string.naming.result}mssqlserver"
11 | resource_group_name = azurerm_resource_group.this.name
12 | location = azurerm_resource_group.this.location
13 | version = "12.0"
14 | administrator_login = var.db_username // sensitive data stored as env variables locally
15 | administrator_login_password = var.db_password
16 | public_network_access_enabled = true // consider to disable public access to the server, to set as false
17 | }
Check: CKV2_AZURE_12: "Ensure that virtual machines are backed up using Azure Backup"
FAILED for resource: azurerm_virtual_machine.jumpbox
File: /examples/adb-squid-proxy/modules/vm/main.tf:184-221
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-virtual-machines-are-backed-up-using-azure-backup.html
184 | resource "azurerm_virtual_machine" "jumpbox" {
185 | name = "jumpbox"
186 | location = var.location
187 | resource_group_name = azurerm_resource_group.vmss.name
188 | network_interface_ids = [azurerm_network_interface.jumpbox.id]
189 | vm_size = "Standard_DS1_v2"
190 |
191 | storage_image_reference {
192 | publisher = "Canonical"
193 | offer = "UbuntuServer"
194 | sku = "16.04-LTS"
195 | version = "latest"
196 | }
197 |
198 | storage_os_disk {
199 | name = "jumpbox-osdisk"
200 | caching = "ReadWrite"
201 | create_option = "FromImage"
202 | managed_disk_type = "Standard_LRS"
203 | }
204 |
205 | os_profile {
206 | computer_name = "jumpbox"
207 | admin_username = var.admin_user
208 | admin_password = var.admin_password
209 | }
210 |
211 | os_profile_linux_config {
212 | disable_password_authentication = true
213 |
214 | ssh_keys {
215 | path = "/home/azureuser/.ssh/authorized_keys"
216 | key_data = file("~/.ssh/id_rsa.pub")
217 | }
218 | }
219 |
220 | tags = var.tags
221 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.dls
File: /modules/adb-lakehouse/storage.tf:1-10
1 | resource "azurerm_storage_account" "dls" {
2 | count = length(var.storage_account_names)
3 | name = "dls${var.storage_account_names[count.index]}${var.environment_name}"
4 | location = var.location
5 | resource_group_name = var.spoke_resource_group_name
6 | account_tier = "Standard"
7 | account_replication_type = "GRS"
8 | tags = var.tags
9 | is_hns_enabled = true
10 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:16-24
16 | resource "azurerm_storage_account" "unity_catalog" {
17 | name = var.metastore_storage_name
18 | location = azurerm_resource_group.shared_resource_group.location
19 | resource_group_name = var.shared_resource_group_name
20 | tags = var.tags
21 | account_tier = "Standard"
22 | account_replication_type = "GRS"
23 | is_hns_enabled = true
24 | }
Check: CKV2_AZURE_10: "Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines"
FAILED for resource: azurerm_virtual_machine.jumpbox
File: /examples/adb-squid-proxy/modules/vm/main.tf:184-221
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-microsoft-antimalware-is-configured-to-automatically-updates-for-virtual-machines.html
184 | resource "azurerm_virtual_machine" "jumpbox" {
185 | name = "jumpbox"
186 | location = var.location
187 | resource_group_name = azurerm_resource_group.vmss.name
188 | network_interface_ids = [azurerm_network_interface.jumpbox.id]
189 | vm_size = "Standard_DS1_v2"
190 |
191 | storage_image_reference {
192 | publisher = "Canonical"
193 | offer = "UbuntuServer"
194 | sku = "16.04-LTS"
195 | version = "latest"
196 | }
197 |
198 | storage_os_disk {
199 | name = "jumpbox-osdisk"
200 | caching = "ReadWrite"
201 | create_option = "FromImage"
202 | managed_disk_type = "Standard_LRS"
203 | }
204 |
205 | os_profile {
206 | computer_name = "jumpbox"
207 | admin_username = var.admin_user
208 | admin_password = var.admin_password
209 | }
210 |
211 | os_profile_linux_config {
212 | disable_password_authentication = true
213 |
214 | ssh_keys {
215 | path = "/home/azureuser/.ssh/authorized_keys"
216 | key_data = file("~/.ssh/id_rsa.pub")
217 | }
218 | }
219 |
220 | tags = var.tags
221 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.sqlserversa
File: /examples/adb-external-hive-metastore/sqlserver.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
1 | resource "azurerm_storage_account" "sqlserversa" {
2 | name = "${random_string.naming.result}sqlserversa"
3 | resource_group_name = azurerm_resource_group.this.name
4 | location = azurerm_resource_group.this.location
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.adls_content.azurerm_storage_account.personaldropbox
File: /examples/adb-splunk/modules/adls_content/main.tf:28-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
28 | resource "azurerm_storage_account" "personaldropbox" {
29 | name = local.storage_account_name
30 | resource_group_name = var.rg
31 | location = var.storage_account_location
32 | account_tier = "Standard"
33 | account_replication_type = "LRS"
34 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.testsa
File: /examples/adb-squid-proxy/main/storage.tf:5-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
5 | resource "azurerm_storage_account" "testsa" {
6 | name = lower(random_id.storage_account.hex)
7 | resource_group_name = azurerm_resource_group.this.name
8 | is_hns_enabled = true
9 | location = "southeastasia"
10 | account_tier = "Standard"
11 | account_replication_type = "LRS"
12 | tags = local.tags
13 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.storage
File: /examples/adb-squid-proxy/modules/storage/main.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
1 | resource "azurerm_storage_account" "storage" {
2 | name = var.storagename
3 | resource_group_name = var.resource_group_name
4 | location = var.locationtest
5 | account_tier = "Standard"
6 | account_replication_type = "LRS"
7 | is_hns_enabled = true
8 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.unity_catalog
File: /examples/adb-uc/stage_3_spn_deploys_uc/storage.tf:10-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
10 | resource "azurerm_storage_account" "unity_catalog" {
11 | name = "${local.prefix}ucmetastore"
12 | resource_group_name = data.azurerm_resource_group.this.name
13 | location = data.azurerm_resource_group.this.location
14 | tags = data.azurerm_resource_group.this.tags
15 | account_tier = "Standard"
16 | account_replication_type = "ZRS"
17 | is_hns_enabled = true
18 |
19 | network_rules {
20 | default_action = "Deny"
21 | bypass = ["None"]
22 | private_link_access {
23 | endpoint_resource_id = azurerm_databricks_access_connector.unity.id
24 | }
25 | }
26 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.metastore_and_users.azurerm_storage_account.unity_catalog
File: /examples/adb-unity-catalog-basic-demo/modules/metastore-and-users/main.tf:48-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
48 | resource "azurerm_storage_account" "unity_catalog" {
49 | name = "${local.prefix}storageaccuc"
50 | resource_group_name = data.azurerm_resource_group.this.name
51 | location = data.azurerm_resource_group.this.location
52 | tags = data.azurerm_resource_group.this.tags
53 | account_tier = "Standard"
54 | account_replication_type = "LRS"
55 | is_hns_enabled = true
56 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.allowedstorage
File: /modules/adb-exfiltration-protection/storage.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
1 | resource "azurerm_storage_account" "allowedstorage" {
2 | name = "${random_string.naming.result}allowedstorage"
3 | resource_group_name = azurerm_resource_group.this.name
4 |
5 | location = azurerm_resource_group.this.location
6 | account_tier = "Standard"
7 | account_replication_type = "LRS"
8 | is_hns_enabled = true
9 | tags = local.tags
10 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.deniedstorage
File: /modules/adb-exfiltration-protection/storage.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
13 | resource "azurerm_storage_account" "deniedstorage" {
14 | name = "${random_string.naming.result}deniedstorage"
15 | resource_group_name = azurerm_resource_group.this.name
16 |
17 | location = azurerm_resource_group.this.location
18 | account_tier = "Standard"
19 | account_replication_type = "LRS"
20 | is_hns_enabled = true
21 | tags = local.tags
22 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.dls
File: /modules/adb-lakehouse/storage.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
1 | resource "azurerm_storage_account" "dls" {
2 | count = length(var.storage_account_names)
3 | name = "dls${var.storage_account_names[count.index]}${var.environment_name}"
4 | location = var.location
5 | resource_group_name = var.spoke_resource_group_name
6 | account_tier = "Standard"
7 | account_replication_type = "GRS"
8 | tags = var.tags
9 | is_hns_enabled = true
10 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: module.adb-lakehouse.azurerm_storage_account.unity_catalog
File: /modules/adb-lakehouse/unity-catalog.tf:16-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
16 | resource "azurerm_storage_account" "unity_catalog" {
17 | name = var.metastore_storage_name
18 | location = azurerm_resource_group.shared_resource_group.location
19 | resource_group_name = var.shared_resource_group_name
20 | tags = var.tags
21 | account_tier = "Standard"
22 | account_replication_type = "GRS"
23 | is_hns_enabled = true
24 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: azurerm_key_vault.akv1
File: /examples/adb-external-hive-metastore/akv.tf:1-10
1 | resource "azurerm_key_vault" "akv1" {
2 | name = "${local.prefix}-akv"
3 | location = azurerm_resource_group.this.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.adb-lakehouse.azurerm_key_vault.example
File: /modules/adb-lakehouse/key_vault.tf:1-11
1 | resource "azurerm_key_vault" "example" {
2 | name = var.key_vault_name
3 | location = var.location
4 | resource_group_name = azurerm_resource_group.this.name
5 | enabled_for_disk_encryption = true
6 | tenant_id = data.azurerm_client_config.current.tenant_id
7 | soft_delete_retention_days = 7
8 | purge_protection_enabled = false
9 | sku_name = "standard"
10 | tags = var.tags
11 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.hubfw
File: /examples/adb-private-links/vnet.tf:116-122
116 | resource "azurerm_subnet" "hubfw" {
117 | //name must be fixed as AzureFirewallSubnet
118 | name = "AzureFirewallSubnet"
119 | resource_group_name = azurerm_resource_group.this.name
120 | virtual_network_name = azurerm_virtual_network.hubvnet.name
121 | address_prefixes = [cidrsubnet(var.hubcidr, 3, 0)]
122 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.hubfw
File: /modules/adb-exfiltration-protection/vnet.tf:88-95
88 | resource "azurerm_subnet" "hubfw" {
89 | //name must be fixed as AzureFirewallSubnet
90 | name = "AzureFirewallSubnet"
91 | resource_group_name = azurerm_resource_group.this.name
92 | virtual_network_name = azurerm_virtual_network.hubvnet.name
93 | address_prefixes = [cidrsubnet(var.hubcidr, 3, 0)]
94 | service_endpoints = ["Microsoft.Storage"]
95 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.hubfw
File: /modules/adb-with-private-links-exfiltration-protection/vnet.tf:117-123
117 | resource "azurerm_subnet" "hubfw" {
118 | //name must be fixed as AzureFirewallSubnet
119 | name = "AzureFirewallSubnet"
120 | resource_group_name = azurerm_resource_group.this.name
121 | virtual_network_name = azurerm_virtual_network.hubvnet.name
122 | address_prefixes = [cidrsubnet(var.hubcidr, 3, 0)]
123 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.plsubnet
File: /examples/adb-external-hive-metastore/vnet.tf:72-78
72 | resource "azurerm_subnet" "plsubnet" {
73 | name = "${local.prefix}-privatelink"
74 | resource_group_name = azurerm_resource_group.this.name
75 | virtual_network_name = azurerm_virtual_network.this.name
76 | address_prefixes = [cidrsubnet(local.cidr, 3, 2)]
77 | private_endpoint_network_policies_enabled = true
78 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.sqlsubnet
File: /examples/adb-external-hive-metastore/vnet.tf:89-95
89 | resource "azurerm_subnet" "sqlsubnet" {
90 | name = "sql-server-subnet"
91 | resource_group_name = azurerm_resource_group.this.name
92 | virtual_network_name = azurerm_virtual_network.sqlvnet.name
93 | address_prefixes = [cidrsubnet(local.sqlcidr, 3, 2)]
94 | service_endpoints = ["Microsoft.Sql"]
95 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.plsubnet
File: /examples/adb-private-links/vnet.tf:99-105
99 | resource "azurerm_subnet" "plsubnet" {
100 | name = "${local.prefix}-privatelink"
101 | resource_group_name = azurerm_resource_group.this.name
102 | virtual_network_name = azurerm_virtual_network.this.name
103 | address_prefixes = [cidrsubnet(local.cidr, 3, 2)]
104 | enforce_private_link_endpoint_network_policies = true // set to true to disable subnet policy
105 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.splunksubnet
File: /examples/adb-splunk/vnet.tf:72-78
72 | resource "azurerm_subnet" "splunksubnet" {
73 | name = "${local.prefix}-splunk"
74 | resource_group_name = azurerm_resource_group.this.name
75 | virtual_network_name = azurerm_virtual_network.this.name
76 | address_prefixes = [cidrsubnet(local.cidr, 3, 2)]
77 | //enforce_private_link_endpoint_network_policies = true // set to true to disable subnet policy
78 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.squid-public-subnet
File: /examples/adb-squid-proxy/main/vnet.tf:71-76
71 | resource "azurerm_subnet" "squid-public-subnet" {
72 | name = "${local.prefix}-squid-public"
73 | resource_group_name = azurerm_resource_group.this.name
74 | virtual_network_name = azurerm_virtual_network.squidvnet.name
75 | address_prefixes = [cidrsubnet(local.squidcidr, 3, 0)]
76 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.vmss
File: /examples/adb-squid-proxy/modules/vm/main.tf:38-43
38 | resource "azurerm_subnet" "vmss" {
39 | name = "vmss-subnet"
40 | resource_group_name = azurerm_resource_group.vmss.name
41 | virtual_network_name = azurerm_virtual_network.vmss.name
42 | address_prefixes = ["10.0.2.0/24"]
43 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.plsubnet
File: /modules/adb-exfiltration-protection/vnet.tf:72-78
72 | resource "azurerm_subnet" "plsubnet" {
73 | name = "${local.prefix}-privatelink"
74 | resource_group_name = azurerm_resource_group.this.name
75 | virtual_network_name = azurerm_virtual_network.this.name
76 | address_prefixes = [cidrsubnet(local.cidr, 3, 2)]
77 | //private_endpoint_network_policies_enabled = true // set to true to disable subnet policy
78 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.testvmsubnet
File: /modules/adb-with-private-link-standard/testvm_transit.tf:93-98
93 | resource "azurerm_subnet" "testvmsubnet" {
94 | name = "${local.prefix}-testvmsubnet"
95 | resource_group_name = azurerm_resource_group.transit_rg.name
96 | virtual_network_name = azurerm_virtual_network.transit_vnet.name
97 | address_prefixes = [cidrsubnet(var.cidr_transit, 3, 3)]
98 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.dp_plsubnet
File: /modules/adb-with-private-link-standard/vnet_dp.tf:99-105
99 | resource "azurerm_subnet" "dp_plsubnet" {
100 | name = "${local.prefix}-dp-privatelink"
101 | resource_group_name = azurerm_resource_group.dp_rg.name
102 | virtual_network_name = azurerm_virtual_network.dp_vnet.name
103 | address_prefixes = [cidrsubnet(var.cidr_dp, 6, 2)]
104 | private_endpoint_network_policies_enabled = true
105 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.transit_plsubnet
File: /modules/adb-with-private-link-standard/vnet_transit.tf:99-105
99 | resource "azurerm_subnet" "transit_plsubnet" {
100 | name = "${local.prefix}-transit-privatelink"
101 | resource_group_name = azurerm_resource_group.transit_rg.name
102 | virtual_network_name = azurerm_virtual_network.transit_vnet.name
103 | address_prefixes = [cidrsubnet(var.cidr_transit, 6, 2)]
104 | private_endpoint_network_policies_enabled = true
105 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.testvmsubnet
File: /modules/adb-with-private-links-exfiltration-protection/testvm.tf:93-98
93 | resource "azurerm_subnet" "testvmsubnet" {
94 | name = "${local.prefix}-testvmsubnet"
95 | resource_group_name = azurerm_resource_group.this.name
96 | virtual_network_name = azurerm_virtual_network.this.name
97 | address_prefixes = [cidrsubnet(local.cidr, 3, 3)]
98 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.plsubnet
File: /modules/adb-with-private-links-exfiltration-protection/vnet.tf:100-106
100 | resource "azurerm_subnet" "plsubnet" {
101 | name = "${local.prefix}-privatelink"
102 | resource_group_name = azurerm_resource_group.this.name
103 | virtual_network_name = azurerm_virtual_network.this.name
104 | address_prefixes = [cidrsubnet(local.cidr, 3, 2)]
105 | private_endpoint_network_policies_enabled = true // set to true to disable subnet policy
106 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.dbx_private_vpc
File: /examples/gcp-byovpc/vpc.tf:1-5
1 | resource "google_compute_network" "dbx_private_vpc" {
2 | project = var.google_project
3 | name = "${var.prefix}-${random_string.suffix.result}"
4 | auto_create_subnetworks = false
5 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.dbx_private_vpc
File: /modules/gcp-workspace-byovpc/vpc.tf:1-5
1 | resource "google_compute_network" "dbx_private_vpc" {
2 | project = var.google_project
3 | name = "${var.prefix}-${random_string.suffix.result}"
4 | auto_create_subnetworks = false
5 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.data_bucket
File: /examples/aws-databricks-modular-privatelink/instance_profile.tf:2-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
2 | resource "aws_s3_bucket" "data_bucket" {
3 | bucket = "data-bucket-for-test" // hard-coded value for demo only
4 | acl = "private"
5 | force_destroy = true
6 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.metastore
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
2 | resource "aws_s3_bucket" "metastore" {
3 | bucket = "${local.prefix}-metastore-jlaw"
4 | acl = "private"
5 | versioning {
6 | enabled = false
7 | }
8 | force_destroy = true
9 | tags = merge(var.tags, {
10 | Name = "${local.prefix}-uc-metastore"
11 | })
12 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:103-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
103 | resource "aws_s3_bucket" "external" {
104 | bucket = "${local.prefix}-external"
105 | acl = "private"
106 | versioning {
107 | enabled = false
108 | }
109 | // destroy all objects with bucket destroy
110 | force_destroy = true
111 | tags = merge(var.tags, {
112 | Name = "${local.prefix}-external"
113 | })
114 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /examples/aws-remote-backend-infra/main.tf:15-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
15 | resource "aws_s3_bucket" "terraform_state" {
16 | bucket = var.bucket_name
17 | # Enable versioning so we can see the full revision history of state files
18 | versioning {
19 | enabled = true
20 | }
21 | force_destroy = true
22 | # Enable server-side encryption by default
23 | server_side_encryption_configuration {
24 | rule {
25 | apply_server_side_encryption_by_default {
26 | sse_algorithm = "AES256"
27 | }
28 | }
29 | }
30 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.aws_base.aws_s3_bucket.root_storage_bucket
File: /modules/aws-databricks-base-infra/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${var.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.unity_catalog.aws_s3_bucket.metastore
File: /modules/aws-databricks-unity-catalog/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "metastore" {
2 | bucket = "${var.prefix}-metastore"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-metastore"
6 | })
7 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-exfiltration-protection/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-basic/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-with-firewall/s3.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:1-11
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.data_bucket
File: /examples/aws-databricks-modular-privatelink/instance_profile.tf:2-6
2 | resource "aws_s3_bucket" "data_bucket" {
3 | bucket = "data-bucket-for-test" // hard-coded value for demo only
4 | acl = "private"
5 | force_destroy = true
6 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.metastore
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:2-12
2 | resource "aws_s3_bucket" "metastore" {
3 | bucket = "${local.prefix}-metastore-jlaw"
4 | acl = "private"
5 | versioning {
6 | enabled = false
7 | }
8 | force_destroy = true
9 | tags = merge(var.tags, {
10 | Name = "${local.prefix}-uc-metastore"
11 | })
12 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:103-114
103 | resource "aws_s3_bucket" "external" {
104 | bucket = "${local.prefix}-external"
105 | acl = "private"
106 | versioning {
107 | enabled = false
108 | }
109 | // destroy all objects with bucket destroy
110 | force_destroy = true
111 | tags = merge(var.tags, {
112 | Name = "${local.prefix}-external"
113 | })
114 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /examples/aws-remote-backend-infra/main.tf:15-30
15 | resource "aws_s3_bucket" "terraform_state" {
16 | bucket = var.bucket_name
17 | # Enable versioning so we can see the full revision history of state files
18 | versioning {
19 | enabled = true
20 | }
21 | force_destroy = true
22 | # Enable server-side encryption by default
23 | server_side_encryption_configuration {
24 | rule {
25 | apply_server_side_encryption_by_default {
26 | sse_algorithm = "AES256"
27 | }
28 | }
29 | }
30 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.aws_base.aws_s3_bucket.root_storage_bucket
File: /modules/aws-databricks-base-infra/s3.tf:1-7
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${var.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-rootbucket"
6 | })
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.unity_catalog.aws_s3_bucket.metastore
File: /modules/aws-databricks-unity-catalog/s3.tf:1-7
1 | resource "aws_s3_bucket" "metastore" {
2 | bucket = "${var.prefix}-metastore"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-metastore"
6 | })
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-exfiltration-protection/s3.tf:1-7
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-basic/s3.tf:1-7
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-with-firewall/s3.tf:1-11
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat_gateway_elastic_ips[0]
File: /examples/aws-databricks-flat/networks_special.tf:22-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
22 | resource "aws_eip" "nat_gateway_elastic_ips" {
23 | count = length(var.public_subnets_cidr)
24 | vpc = true
25 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat_gateway_elastic_ips[0]
File: /examples/aws-databricks-modular-privatelink/vpc.tf:57-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
57 | resource "aws_eip" "nat_gateway_elastic_ips" {
58 | count = length(var.public_subnets_cidr)
59 | vpc = true
60 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.mainvpc
File: /examples/aws-databricks-flat/networks_special.tf:3-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "mainvpc" {
4 | cidr_block = var.vpc_cidr
5 | enable_dns_hostnames = true
6 |
7 | tags = merge(var.tags, {
8 | Name = "${local.prefix}-vpc"
9 | })
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.mainvpc
File: /examples/aws-databricks-modular-privatelink/vpc.tf:3-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "mainvpc" {
4 | cidr_block = var.vpc_cidr
5 | enable_dns_hostnames = true
6 | enable_dns_support = true
7 |
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-vpc"
10 | })
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.hub_vpc
File: /modules/aws-exfiltration-protection/vpc_hub.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "hub_vpc" {
2 | cidr_block = var.hub_cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 | tags = merge(var.tags, {
6 | Name = "${local.prefix}-hub-vpc"
7 | })
8 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.spoke_vpc
File: /modules/aws-exfiltration-protection/vpc_spoke.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "spoke_vpc" {
2 | cidr_block = var.spoke_cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 | tags = merge(var.tags, {
6 | Name = "${local.prefix}-spoke-vpc"
7 | })
8 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.db_vpc
File: /modules/aws-workspace-with-firewall/vpc.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "db_vpc" {
2 | cidr_block = var.cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 | tags = merge(var.tags, {
6 | Name = "${local.prefix}-db-vpc"
7 | })
8 | }
Check: CKV2_AWS_63: "Ensure Network firewall has logging configuration defined"
FAILED for resource: aws_networkfirewall_firewall.exfiltration_firewall
File: /modules/aws-exfiltration-protection/firewall.tf:118-129
118 | resource "aws_networkfirewall_firewall" "exfiltration_firewall" {
119 | name = "${local.prefix}-fw"
120 | firewall_policy_arn = aws_networkfirewall_firewall_policy.egress_policy.arn
121 | vpc_id = aws_vpc.hub_vpc.id
122 | dynamic "subnet_mapping" {
123 | for_each = aws_subnet.hub_firewall_subnet[*].id
124 | content {
125 | subnet_id = subnet_mapping.value
126 | }
127 | }
128 | tags = var.tags
129 | }
Check: CKV2_AWS_63: "Ensure Network firewall has logging configuration defined"
FAILED for resource: aws_networkfirewall_firewall.exfiltration_firewall
File: /modules/aws-workspace-with-firewall/firewall.tf:130-141
130 | resource "aws_networkfirewall_firewall" "exfiltration_firewall" {
131 | name = "${local.prefix}-fw"
132 | firewall_policy_arn = aws_networkfirewall_firewall_policy.egress_policy.arn
133 | vpc_id = aws_vpc.db_vpc.id
134 | dynamic "subnet_mapping" {
135 | for_each = aws_subnet.db_firewall_subnet[*].id
136 | content {
137 | subnet_id = subnet_mapping.value
138 | }
139 | }
140 | tags = var.tags
141 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.data_bucket
File: /examples/aws-databricks-modular-privatelink/instance_profile.tf:2-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
2 | resource "aws_s3_bucket" "data_bucket" {
3 | bucket = "data-bucket-for-test" // hard-coded value for demo only
4 | acl = "private"
5 | force_destroy = true
6 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.metastore
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
2 | resource "aws_s3_bucket" "metastore" {
3 | bucket = "${local.prefix}-metastore-jlaw"
4 | acl = "private"
5 | versioning {
6 | enabled = false
7 | }
8 | force_destroy = true
9 | tags = merge(var.tags, {
10 | Name = "${local.prefix}-uc-metastore"
11 | })
12 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:103-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
103 | resource "aws_s3_bucket" "external" {
104 | bucket = "${local.prefix}-external"
105 | acl = "private"
106 | versioning {
107 | enabled = false
108 | }
109 | // destroy all objects with bucket destroy
110 | force_destroy = true
111 | tags = merge(var.tags, {
112 | Name = "${local.prefix}-external"
113 | })
114 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.aws_base.aws_s3_bucket.root_storage_bucket
File: /modules/aws-databricks-base-infra/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${var.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.unity_catalog.aws_s3_bucket.metastore
File: /modules/aws-databricks-unity-catalog/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "metastore" {
2 | bucket = "${var.prefix}-metastore"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-metastore"
6 | })
7 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-with-firewall/s3.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.test_sg
File: /examples/aws-databricks-flat/networks_special.tf:56-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
56 | resource "aws_security_group" "test_sg" {
57 | name = "default-security-group-${local.prefix}"
58 | description = "Default security group for ${local.prefix}"
59 | vpc_id = aws_vpc.mainvpc.id
60 |
61 | ingress {
62 | from_port = 0
63 | to_port = 0
64 | protocol = -1
65 | self = true
66 | }
67 |
68 | egress {
69 | from_port = 0
70 | to_port = 0
71 | protocol = "-1"
72 | cidr_blocks = ["0.0.0.0/0"]
73 | }
74 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.default_spoke_sg
File: /modules/aws-exfiltration-protection/vpc_spoke.tf:50-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
50 | resource "aws_security_group" "default_spoke_sg" {
51 | name = "${local.prefix}-default_spoke_sg"
52 | description = "Default security group to allow inbound/outbound from the VPC"
53 | vpc_id = aws_vpc.spoke_vpc.id
54 | depends_on = [aws_vpc.spoke_vpc]
55 |
56 | dynamic "ingress" {
57 | for_each = local.sg_ingress_protocol
58 | content {
59 | from_port = 0
60 | to_port = 65535
61 | protocol = ingress.value
62 | self = true
63 | }
64 | }
65 |
66 | dynamic "egress" {
67 | for_each = local.sg_egress_protocol
68 | content {
69 | from_port = 0
70 | to_port = 65535
71 | protocol = egress.value
72 | self = true
73 | }
74 | }
75 |
76 | dynamic "egress" {
77 | for_each = local.sg_egress_ports
78 | content {
79 | from_port = egress.value
80 | to_port = egress.value
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | }
85 |
86 | tags = var.tags
87 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.default_sg
File: /modules/aws-workspace-with-firewall/security_group.tf:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "default_sg" {
2 | name = "${local.prefix}-default-sg"
3 | description = "Default security group to allow inbound/outbound from the VPC"
4 | vpc_id = aws_vpc.db_vpc.id
5 | depends_on = [aws_vpc.db_vpc]
6 |
7 | dynamic "ingress" {
8 | for_each = local.sg_ingress_protocol
9 | content {
10 | from_port = 0
11 | to_port = 65535
12 | protocol = ingress.value
13 | self = true
14 | }
15 | }
16 |
17 | dynamic "egress" {
18 | for_each = local.sg_egress_protocol
19 | content {
20 | from_port = 0
21 | to_port = 65535
22 | protocol = egress.value
23 | self = true
24 | }
25 | }
26 |
27 | dynamic "egress" {
28 | for_each = local.sg_egress_ports
29 | content {
30 | from_port = egress.value
31 | to_port = egress.value
32 | protocol = "tcp"
33 | cidr_blocks = ["0.0.0.0/0"]
34 | }
35 | }
36 |
37 | tags = var.tags
38 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:1-11
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.data_bucket
File: /examples/aws-databricks-modular-privatelink/instance_profile.tf:2-6
2 | resource "aws_s3_bucket" "data_bucket" {
3 | bucket = "data-bucket-for-test" // hard-coded value for demo only
4 | acl = "private"
5 | force_destroy = true
6 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.metastore
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:2-12
2 | resource "aws_s3_bucket" "metastore" {
3 | bucket = "${local.prefix}-metastore-jlaw"
4 | acl = "private"
5 | versioning {
6 | enabled = false
7 | }
8 | force_destroy = true
9 | tags = merge(var.tags, {
10 | Name = "${local.prefix}-uc-metastore"
11 | })
12 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:103-114
103 | resource "aws_s3_bucket" "external" {
104 | bucket = "${local.prefix}-external"
105 | acl = "private"
106 | versioning {
107 | enabled = false
108 | }
109 | // destroy all objects with bucket destroy
110 | force_destroy = true
111 | tags = merge(var.tags, {
112 | Name = "${local.prefix}-external"
113 | })
114 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /examples/aws-remote-backend-infra/main.tf:15-30
15 | resource "aws_s3_bucket" "terraform_state" {
16 | bucket = var.bucket_name
17 | # Enable versioning so we can see the full revision history of state files
18 | versioning {
19 | enabled = true
20 | }
21 | force_destroy = true
22 | # Enable server-side encryption by default
23 | server_side_encryption_configuration {
24 | rule {
25 | apply_server_side_encryption_by_default {
26 | sse_algorithm = "AES256"
27 | }
28 | }
29 | }
30 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.aws_base.aws_s3_bucket.root_storage_bucket
File: /modules/aws-databricks-base-infra/s3.tf:1-7
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${var.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-rootbucket"
6 | })
7 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.unity_catalog.aws_s3_bucket.metastore
File: /modules/aws-databricks-unity-catalog/s3.tf:1-7
1 | resource "aws_s3_bucket" "metastore" {
2 | bucket = "${var.prefix}-metastore"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-metastore"
6 | })
7 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-exfiltration-protection/s3.tf:1-7
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-basic/s3.tf:1-7
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-with-firewall/s3.tf:1-11
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.mainvpc
File: /examples/aws-databricks-flat/networks_special.tf:3-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "mainvpc" {
4 | cidr_block = var.vpc_cidr
5 | enable_dns_hostnames = true
6 |
7 | tags = merge(var.tags, {
8 | Name = "${local.prefix}-vpc"
9 | })
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.mainvpc
File: /examples/aws-databricks-modular-privatelink/vpc.tf:3-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "mainvpc" {
4 | cidr_block = var.vpc_cidr
5 | enable_dns_hostnames = true
6 | enable_dns_support = true
7 |
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-vpc"
10 | })
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.hub_vpc
File: /modules/aws-exfiltration-protection/vpc_hub.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "hub_vpc" {
2 | cidr_block = var.hub_cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 | tags = merge(var.tags, {
6 | Name = "${local.prefix}-hub-vpc"
7 | })
8 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.spoke_vpc
File: /modules/aws-exfiltration-protection/vpc_spoke.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "spoke_vpc" {
2 | cidr_block = var.spoke_cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 | tags = merge(var.tags, {
6 | Name = "${local.prefix}-spoke-vpc"
7 | })
8 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.db_vpc
File: /modules/aws-workspace-with-firewall/vpc.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "db_vpc" {
2 | cidr_block = var.cidr_block
3 | enable_dns_hostnames = true
4 | enable_dns_support = true
5 | tags = merge(var.tags, {
6 | Name = "${local.prefix}-db-vpc"
7 | })
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:103-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
103 | resource "aws_s3_bucket" "external" {
104 | bucket = "${local.prefix}-external"
105 | acl = "private"
106 | versioning {
107 | enabled = false
108 | }
109 | // destroy all objects with bucket destroy
110 | force_destroy = true
111 | tags = merge(var.tags, {
112 | Name = "${local.prefix}-external"
113 | })
114 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.data_bucket
File: /examples/aws-databricks-modular-privatelink/instance_profile.tf:2-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
2 | resource "aws_s3_bucket" "data_bucket" {
3 | bucket = "data-bucket-for-test" // hard-coded value for demo only
4 | acl = "private"
5 | force_destroy = true
6 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.terraform_state
File: /examples/aws-remote-backend-infra/main.tf:15-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
15 | resource "aws_s3_bucket" "terraform_state" {
16 | bucket = var.bucket_name
17 | # Enable versioning so we can see the full revision history of state files
18 | versioning {
19 | enabled = true
20 | }
21 | force_destroy = true
22 | # Enable server-side encryption by default
23 | server_side_encryption_configuration {
24 | rule {
25 | apply_server_side_encryption_by_default {
26 | sse_algorithm = "AES256"
27 | }
28 | }
29 | }
30 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.data_bucket
File: /examples/aws-databricks-modular-privatelink/instance_profile.tf:2-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
2 | resource "aws_s3_bucket" "data_bucket" {
3 | bucket = "data-bucket-for-test" // hard-coded value for demo only
4 | acl = "private"
5 | force_destroy = true
6 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.metastore
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
2 | resource "aws_s3_bucket" "metastore" {
3 | bucket = "${local.prefix}-metastore-jlaw"
4 | acl = "private"
5 | versioning {
6 | enabled = false
7 | }
8 | force_destroy = true
9 | tags = merge(var.tags, {
10 | Name = "${local.prefix}-uc-metastore"
11 | })
12 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:103-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
103 | resource "aws_s3_bucket" "external" {
104 | bucket = "${local.prefix}-external"
105 | acl = "private"
106 | versioning {
107 | enabled = false
108 | }
109 | // destroy all objects with bucket destroy
110 | force_destroy = true
111 | tags = merge(var.tags, {
112 | Name = "${local.prefix}-external"
113 | })
114 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /examples/aws-remote-backend-infra/main.tf:15-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
15 | resource "aws_s3_bucket" "terraform_state" {
16 | bucket = var.bucket_name
17 | # Enable versioning so we can see the full revision history of state files
18 | versioning {
19 | enabled = true
20 | }
21 | force_destroy = true
22 | # Enable server-side encryption by default
23 | server_side_encryption_configuration {
24 | rule {
25 | apply_server_side_encryption_by_default {
26 | sse_algorithm = "AES256"
27 | }
28 | }
29 | }
30 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.aws_base.aws_s3_bucket.root_storage_bucket
File: /modules/aws-databricks-base-infra/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${var.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.unity_catalog.aws_s3_bucket.metastore
File: /modules/aws-databricks-unity-catalog/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "metastore" {
2 | bucket = "${var.prefix}-metastore"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-metastore"
6 | })
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-exfiltration-protection/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-basic/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-with-firewall/s3.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-flat/rootbucket.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.data_bucket
File: /examples/aws-databricks-modular-privatelink/instance_profile.tf:2-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
2 | resource "aws_s3_bucket" "data_bucket" {
3 | bucket = "data-bucket-for-test" // hard-coded value for demo only
4 | acl = "private"
5 | force_destroy = true
6 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.workspace_collection["workspace_1"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.metastore
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
2 | resource "aws_s3_bucket" "metastore" {
3 | bucket = "${local.prefix}-metastore-jlaw"
4 | acl = "private"
5 | versioning {
6 | enabled = false
7 | }
8 | force_destroy = true
9 | tags = merge(var.tags, {
10 | Name = "${local.prefix}-uc-metastore"
11 | })
12 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.external
File: /examples/aws-databricks-uc/unity_catalog_infra.tf:103-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
103 | resource "aws_s3_bucket" "external" {
104 | bucket = "${local.prefix}-external"
105 | acl = "private"
106 | versioning {
107 | enabled = false
108 | }
109 | // destroy all objects with bucket destroy
110 | force_destroy = true
111 | tags = merge(var.tags, {
112 | Name = "${local.prefix}-external"
113 | })
114 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /examples/aws-remote-backend-infra/main.tf:15-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
15 | resource "aws_s3_bucket" "terraform_state" {
16 | bucket = var.bucket_name
17 | # Enable versioning so we can see the full revision history of state files
18 | versioning {
19 | enabled = true
20 | }
21 | force_destroy = true
22 | # Enable server-side encryption by default
23 | server_side_encryption_configuration {
24 | rule {
25 | apply_server_side_encryption_by_default {
26 | sse_algorithm = "AES256"
27 | }
28 | }
29 | }
30 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.aws_base.aws_s3_bucket.root_storage_bucket
File: /modules/aws-databricks-base-infra/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${var.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.unity_catalog.aws_s3_bucket.metastore
File: /modules/aws-databricks-unity-catalog/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "metastore" {
2 | bucket = "${var.prefix}-metastore"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${var.prefix}-metastore"
6 | })
7 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-exfiltration-protection/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-basic/s3.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | force_destroy = true
4 | tags = merge(var.tags, {
5 | Name = "${local.prefix}-rootbucket"
6 | })
7 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.root_storage_bucket
File: /modules/aws-workspace-with-firewall/s3.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = "${local.prefix}-rootbucket"
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = merge(var.tags, {
9 | Name = "${local.prefix}-rootbucket"
10 | })
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.workspace_collection["workspace_2"].module.my_root_bucket.aws_s3_bucket.root_storage_bucket
File: /examples/aws-databricks-modular-privatelink/modules/mws_workspace/modules/mws_storage/main.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "root_storage_bucket" {
2 | bucket = var.root_bucket_name
3 | acl = "private"
4 | versioning {
5 | enabled = false
6 | }
7 | force_destroy = true
8 | tags = var.tags
9 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools