Repository | magenx / Magento-2-aws-cluster-terraform |
Description | Magento 2 AWS autoscaling cluster with Terraform and Packer or ImageBuilder. Adobe Commerce Cloud alternative. The best ecommerce infrastructure. Drive more sales online. Transparent billing. Devel… |
Stars | 111 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 243, Failed checks: 90, Skipped checks: 0, Parsing errors: 2
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.this
File: /alb.tf:9-25
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
9 | resource "aws_lb" "this" {
10 | for_each = toset(var.alb["type"])
11 | name = "${local.project}-${each.key}-alb"
12 | internal = (each.key == "inner" ? true : false)
13 | load_balancer_type = "application"
14 | drop_invalid_header_fields = true
15 | security_groups = [(each.key == "inner" ? aws_security_group.inner_alb.id : aws_security_group.outer_alb.id)]
16 | subnets = values(aws_subnet.this).*.id
17 | access_logs {
18 | bucket = aws_s3_bucket.this["system"].bucket
19 | prefix = "ALB"
20 | enabled = true
21 | }
22 | tags = {
23 | Name = "${local.project}-${each.key}-alb"
24 | }
25 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.inner
File: /alb.tf:73-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
73 | resource "aws_lb_listener" "inner" {
74 | load_balancer_arn = aws_lb.this["inner"].arn
75 | port = "80"
76 | protocol = "HTTP"
77 | default_action {
78 | type = "fixed-response"
79 | fixed_response {
80 | content_type = "text/plain"
81 | message_body = "No targets are responding to this request"
82 | status_code = "502"
83 | }
84 | }
85 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_launch_template.this["admin"]
File: /asg.tf:9-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
9 | resource "aws_launch_template" "this" {
10 | for_each = var.ec2
11 | name = "${local.project}-${each.key}-ltpl"
12 | iam_instance_profile { name = aws_iam_instance_profile.ec2[each.key].name }
13 | image_id = element(values(data.external.packer[each.key].result), 0)
14 | instance_type = each.value
15 | monitoring { enabled = var.asg["monitoring"] }
16 | network_interfaces {
17 | associate_public_ip_address = true
18 | security_groups = [aws_security_group.ec2.id]
19 | }
20 | dynamic "tag_specifications" {
21 | for_each = toset(["instance","volume"])
22 | content {
23 | resource_type = tag_specifications.key
24 | tags = merge(data.aws_default_tags.this.tags,{ Name = "${local.project}-${each.key}-ec2" })
25 | }
26 | }
27 | metadata_options {
28 | http_endpoint = "enabled"
29 | http_tokens = "required"
30 | http_put_response_hop_limit = 1
31 | instance_metadata_tags = "enabled"
32 | }
33 | user_data = filebase64("${abspath(path.root)}/user_data/${each.key}")
34 | update_default_version = true
35 | lifecycle {
36 | create_before_destroy = true
37 | }
38 | tags = {
39 | Name = "${local.project}-${each.key}-ltpl"
40 | }
41 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_launch_template.this["frontend"]
File: /asg.tf:9-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
9 | resource "aws_launch_template" "this" {
10 | for_each = var.ec2
11 | name = "${local.project}-${each.key}-ltpl"
12 | iam_instance_profile { name = aws_iam_instance_profile.ec2[each.key].name }
13 | image_id = element(values(data.external.packer[each.key].result), 0)
14 | instance_type = each.value
15 | monitoring { enabled = var.asg["monitoring"] }
16 | network_interfaces {
17 | associate_public_ip_address = true
18 | security_groups = [aws_security_group.ec2.id]
19 | }
20 | dynamic "tag_specifications" {
21 | for_each = toset(["instance","volume"])
22 | content {
23 | resource_type = tag_specifications.key
24 | tags = merge(data.aws_default_tags.this.tags,{ Name = "${local.project}-${each.key}-ec2" })
25 | }
26 | }
27 | metadata_options {
28 | http_endpoint = "enabled"
29 | http_tokens = "required"
30 | http_put_response_hop_limit = 1
31 | instance_metadata_tags = "enabled"
32 | }
33 | user_data = filebase64("${abspath(path.root)}/user_data/${each.key}")
34 | update_default_version = true
35 | lifecycle {
36 | create_before_destroy = true
37 | }
38 | tags = {
39 | Name = "${local.project}-${each.key}-ltpl"
40 | }
41 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_launch_template.this["varnish"]
File: /asg.tf:9-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
9 | resource "aws_launch_template" "this" {
10 | for_each = var.ec2
11 | name = "${local.project}-${each.key}-ltpl"
12 | iam_instance_profile { name = aws_iam_instance_profile.ec2[each.key].name }
13 | image_id = element(values(data.external.packer[each.key].result), 0)
14 | instance_type = each.value
15 | monitoring { enabled = var.asg["monitoring"] }
16 | network_interfaces {
17 | associate_public_ip_address = true
18 | security_groups = [aws_security_group.ec2.id]
19 | }
20 | dynamic "tag_specifications" {
21 | for_each = toset(["instance","volume"])
22 | content {
23 | resource_type = tag_specifications.key
24 | tags = merge(data.aws_default_tags.this.tags,{ Name = "${local.project}-${each.key}-ec2" })
25 | }
26 | }
27 | metadata_options {
28 | http_endpoint = "enabled"
29 | http_tokens = "required"
30 | http_put_response_hop_limit = 1
31 | instance_metadata_tags = "enabled"
32 | }
33 | user_data = filebase64("${abspath(path.root)}/user_data/${each.key}")
34 | update_default_version = true
35 | lifecycle {
36 | create_before_destroy = true
37 | }
38 | tags = {
39 | Name = "${local.project}-${each.key}-ltpl"
40 | }
41 | }
Check: CKV_AWS_305: "Ensure Cloudfront distribution has a default root object configured"
FAILED for resource: aws_cloudfront_distribution.this
File: /cloudfront.tf:13-90
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.this
File: /cloudfront.tf:13-90
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.codebuild
File: /codepipeline.tf:150-155
150 | resource "aws_cloudwatch_log_group" "codebuild" {
151 | name = "${local.project}-codebuild-project"
152 | tags = {
153 | Name = "${local.project}-codebuild-project"
154 | }
155 | }
Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
FAILED for resource: aws_cloudwatch_log_group.codebuild
File: /codepipeline.tf:150-155
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html
150 | resource "aws_cloudwatch_log_group" "codebuild" {
151 | name = "${local.project}-codebuild-project"
152 | tags = {
153 | Name = "${local.project}-codebuild-project"
154 | }
155 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.codebuild
File: /codepipeline.tf:150-155
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
150 | resource "aws_cloudwatch_log_group" "codebuild" {
151 | name = "${local.project}-codebuild-project"
152 | tags = {
153 | Name = "${local.project}-codebuild-project"
154 | }
155 | }
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: aws_codebuild_project.this
File: /codepipeline.tf:319-392
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: aws_codepipeline.this
File: /codepipeline.tf:396-479
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: aws_codebuild_project.install
File: /codepipeline_install.tf:21-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: aws_codepipeline.install
File: /codepipeline_install.tf:99-197
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.this
File: /efs.tf:9-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
9 | resource "aws_efs_file_system" "this" {
10 | creation_token = "${local.project}-efs-storage"
11 | tags = {
12 | Name = "${local.project}-efs-storage"
13 | }
14 | }
Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
FAILED for resource: aws_efs_file_system.this
File: /efs.tf:9-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
9 | resource "aws_efs_file_system" "this" {
10 | creation_token = "${local.project}-efs-storage"
11 | tags = {
12 | Name = "${local.project}-efs-storage"
13 | }
14 | }
Check: CKV_AWS_191: "Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_elasticache_replication_group.this
File: /elasticache.tf:40-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-111.html
40 | resource "aws_elasticache_replication_group" "this" {
41 | for_each = toset(var.redis["name"])
42 | description = "Replication group for ${var.app["domain"]} ${each.key} backend"
43 | num_cache_clusters = var.redis["num_cache_clusters"]
44 | at_rest_encryption_enabled = var.redis["at_rest_encryption_enabled"]
45 | engine = "redis"
46 | engine_version = var.redis["engine_version"]
47 | replication_group_id = "${local.project}-${each.key}-backend"
48 | node_type = var.redis["node_type"]
49 | port = var.redis["port"]
50 | parameter_group_name = aws_elasticache_parameter_group.this[each.key].id
51 | security_group_ids = [aws_security_group.redis.id]
52 | subnet_group_name = aws_elasticache_subnet_group.this.name
53 | automatic_failover_enabled = var.redis["num_cache_clusters"] > 1 ? true : false
54 | multi_az_enabled = var.redis["num_cache_clusters"] > 1 ? true : false
55 | notification_topic_arn = aws_sns_topic.default.arn
56 | tags = {
57 | Name = "${local.project}-${each.key}-backend"
58 | }
59 | }
Check: CKV_AWS_30: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit"
FAILED for resource: aws_elasticache_replication_group.this
File: /elasticache.tf:40-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-10.html
40 | resource "aws_elasticache_replication_group" "this" {
41 | for_each = toset(var.redis["name"])
42 | description = "Replication group for ${var.app["domain"]} ${each.key} backend"
43 | num_cache_clusters = var.redis["num_cache_clusters"]
44 | at_rest_encryption_enabled = var.redis["at_rest_encryption_enabled"]
45 | engine = "redis"
46 | engine_version = var.redis["engine_version"]
47 | replication_group_id = "${local.project}-${each.key}-backend"
48 | node_type = var.redis["node_type"]
49 | port = var.redis["port"]
50 | parameter_group_name = aws_elasticache_parameter_group.this[each.key].id
51 | security_group_ids = [aws_security_group.redis.id]
52 | subnet_group_name = aws_elasticache_subnet_group.this.name
53 | automatic_failover_enabled = var.redis["num_cache_clusters"] > 1 ? true : false
54 | multi_az_enabled = var.redis["num_cache_clusters"] > 1 ? true : false
55 | notification_topic_arn = aws_sns_topic.default.arn
56 | tags = {
57 | Name = "${local.project}-${each.key}-backend"
58 | }
59 | }
Check: CKV_AWS_31: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token"
FAILED for resource: aws_elasticache_replication_group.this
File: /elasticache.tf:40-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-11.html
40 | resource "aws_elasticache_replication_group" "this" {
41 | for_each = toset(var.redis["name"])
42 | description = "Replication group for ${var.app["domain"]} ${each.key} backend"
43 | num_cache_clusters = var.redis["num_cache_clusters"]
44 | at_rest_encryption_enabled = var.redis["at_rest_encryption_enabled"]
45 | engine = "redis"
46 | engine_version = var.redis["engine_version"]
47 | replication_group_id = "${local.project}-${each.key}-backend"
48 | node_type = var.redis["node_type"]
49 | port = var.redis["port"]
50 | parameter_group_name = aws_elasticache_parameter_group.this[each.key].id
51 | security_group_ids = [aws_security_group.redis.id]
52 | subnet_group_name = aws_elasticache_subnet_group.this.name
53 | automatic_failover_enabled = var.redis["num_cache_clusters"] > 1 ? true : false
54 | multi_az_enabled = var.redis["num_cache_clusters"] > 1 ? true : false
55 | notification_topic_arn = aws_sns_topic.default.arn
56 | tags = {
57 | Name = "${local.project}-${each.key}-backend"
58 | }
59 | }
Check: CKV_AWS_318: "Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA"
FAILED for resource: aws_elasticsearch_domain.this
File: /elasticsearch.tf:23-76
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_228: "Verify Elasticsearch domain is using an up to date TLS policy"
FAILED for resource: aws_elasticsearch_domain.this
File: /elasticsearch.tf:23-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-elasticsearch-domain-uses-an-updated-tls-policy.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_247: "Ensure all data stored in the Elasticsearch is encrypted with a CMK"
FAILED for resource: aws_elasticsearch_domain.this
File: /elasticsearch.tf:23-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-all-data-stored-in-the-elasticsearch-domain-is-encrypted-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_317: "Ensure Elasticsearch Domain Audit Logging is enabled"
FAILED for resource: aws_elasticsearch_domain.this
File: /elasticsearch.tf:23-76
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.elk
File: /elasticsearch.tf:80-82
80 | resource "aws_cloudwatch_log_group" "elk" {
81 | name = "${local.project}-elk"
82 | }
Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
FAILED for resource: aws_cloudwatch_log_group.elk
File: /elasticsearch.tf:80-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html
80 | resource "aws_cloudwatch_log_group" "elk" {
81 | name = "${local.project}-elk"
82 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.elk
File: /elasticsearch.tf:80-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
80 | resource "aws_cloudwatch_log_group" "elk" {
81 | name = "${local.project}-elk"
82 | }
Check: CKV_AWS_48: "Ensure MQ Broker logging is enabled"
FAILED for resource: aws_mq_broker.this
File: /rabbitmq.tf:9-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-10.html
9 | resource "aws_mq_broker" "this" {
10 | broker_name = "${local.project}-rabbitmq"
11 | engine_type = "RabbitMQ"
12 | engine_version = var.rabbitmq["engine_version"]
13 | host_instance_type = var.rabbitmq["host_instance_type"]
14 | security_groups = [aws_security_group.rabbitmq.id]
15 | subnet_ids = [values(aws_subnet.this).0.id]
16 | user {
17 | username = var.app["brand"]
18 | password = random_password.this["rabbitmq"].result
19 | }
20 | tags = {
21 | Name = "${local.project}-rabbitmq"
22 | }
23 | }
Check: CKV_AWS_209: "Ensure MQ broker encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_mq_broker.this
File: /rabbitmq.tf:9-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-mqbroker-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
9 | resource "aws_mq_broker" "this" {
10 | broker_name = "${local.project}-rabbitmq"
11 | engine_type = "RabbitMQ"
12 | engine_version = var.rabbitmq["engine_version"]
13 | host_instance_type = var.rabbitmq["host_instance_type"]
14 | security_groups = [aws_security_group.rabbitmq.id]
15 | subnet_ids = [values(aws_subnet.this).0.id]
16 | user {
17 | username = var.app["brand"]
18 | password = random_password.this["rabbitmq"].result
19 | }
20 | tags = {
21 | Name = "${local.project}-rabbitmq"
22 | }
23 | }
Check: CKV_AWS_207: "Ensure MQ Broker minor version updates are enabled"
FAILED for resource: aws_mq_broker.this
File: /rabbitmq.tf:9-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-mqbrokers-minor-version-updates-are-enabled.html
9 | resource "aws_mq_broker" "this" {
10 | broker_name = "${local.project}-rabbitmq"
11 | engine_type = "RabbitMQ"
12 | engine_version = var.rabbitmq["engine_version"]
13 | host_instance_type = var.rabbitmq["host_instance_type"]
14 | security_groups = [aws_security_group.rabbitmq.id]
15 | subnet_ids = [values(aws_subnet.this).0.id]
16 | user {
17 | username = var.app["brand"]
18 | password = random_password.this["rabbitmq"].result
19 | }
20 | tags = {
21 | Name = "${local.project}-rabbitmq"
22 | }
23 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.this
File: /rds.tf:31-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
31 | resource "aws_db_instance" "this" {
32 | identifier = "${local.project}-rds"
33 | allocated_storage = var.rds["allocated_storage"]
34 | max_allocated_storage = var.rds["max_allocated_storage"]
35 | storage_type = var.rds["storage_type"]
36 | storage_encrypted = var.rds["storage_encrypted"]
37 | engine = var.rds["engine"]
38 | engine_version = var.rds["engine_version"]
39 | instance_class = var.rds["instance_class"]
40 | multi_az = var.rds["multi_az"]
41 | db_name = var.rds["db_name"]
42 | username = var.app["brand"]
43 | password = random_password.this["rds"].result
44 | parameter_group_name = aws_db_parameter_group.this.id
45 | skip_final_snapshot = var.rds["skip_final_snapshot"]
46 | vpc_security_group_ids = [aws_security_group.rds.id]
47 | db_subnet_group_name = aws_db_subnet_group.this.name
48 | enabled_cloudwatch_logs_exports = [var.rds["enabled_cloudwatch_logs_exports"]]
49 | performance_insights_enabled = var.rds["performance_insights_enabled"]
50 | copy_tags_to_snapshot = var.rds["copy_tags_to_snapshot"]
51 | backup_retention_period = var.rds["backup_retention_period"]
52 | delete_automated_backups = var.rds["delete_automated_backups"]
53 | deletion_protection = var.rds["deletion_protection"]
54 | tags = {
55 | Name = "${local.project}"
56 | }
57 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.this
File: /rds.tf:31-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
31 | resource "aws_db_instance" "this" {
32 | identifier = "${local.project}-rds"
33 | allocated_storage = var.rds["allocated_storage"]
34 | max_allocated_storage = var.rds["max_allocated_storage"]
35 | storage_type = var.rds["storage_type"]
36 | storage_encrypted = var.rds["storage_encrypted"]
37 | engine = var.rds["engine"]
38 | engine_version = var.rds["engine_version"]
39 | instance_class = var.rds["instance_class"]
40 | multi_az = var.rds["multi_az"]
41 | db_name = var.rds["db_name"]
42 | username = var.app["brand"]
43 | password = random_password.this["rds"].result
44 | parameter_group_name = aws_db_parameter_group.this.id
45 | skip_final_snapshot = var.rds["skip_final_snapshot"]
46 | vpc_security_group_ids = [aws_security_group.rds.id]
47 | db_subnet_group_name = aws_db_subnet_group.this.name
48 | enabled_cloudwatch_logs_exports = [var.rds["enabled_cloudwatch_logs_exports"]]
49 | performance_insights_enabled = var.rds["performance_insights_enabled"]
50 | copy_tags_to_snapshot = var.rds["copy_tags_to_snapshot"]
51 | backup_retention_period = var.rds["backup_retention_period"]
52 | delete_automated_backups = var.rds["delete_automated_backups"]
53 | deletion_protection = var.rds["deletion_protection"]
54 | tags = {
55 | Name = "${local.project}"
56 | }
57 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.this
File: /rds.tf:31-57
31 | resource "aws_db_instance" "this" {
32 | identifier = "${local.project}-rds"
33 | allocated_storage = var.rds["allocated_storage"]
34 | max_allocated_storage = var.rds["max_allocated_storage"]
35 | storage_type = var.rds["storage_type"]
36 | storage_encrypted = var.rds["storage_encrypted"]
37 | engine = var.rds["engine"]
38 | engine_version = var.rds["engine_version"]
39 | instance_class = var.rds["instance_class"]
40 | multi_az = var.rds["multi_az"]
41 | db_name = var.rds["db_name"]
42 | username = var.app["brand"]
43 | password = random_password.this["rds"].result
44 | parameter_group_name = aws_db_parameter_group.this.id
45 | skip_final_snapshot = var.rds["skip_final_snapshot"]
46 | vpc_security_group_ids = [aws_security_group.rds.id]
47 | db_subnet_group_name = aws_db_subnet_group.this.name
48 | enabled_cloudwatch_logs_exports = [var.rds["enabled_cloudwatch_logs_exports"]]
49 | performance_insights_enabled = var.rds["performance_insights_enabled"]
50 | copy_tags_to_snapshot = var.rds["copy_tags_to_snapshot"]
51 | backup_retention_period = var.rds["backup_retention_period"]
52 | delete_automated_backups = var.rds["delete_automated_backups"]
53 | deletion_protection = var.rds["deletion_protection"]
54 | tags = {
55 | Name = "${local.project}"
56 | }
57 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.outer_alb
File: /security_groups.tf:9-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
9 | resource "aws_security_group" "outer_alb" {
10 | name = "${local.project}-outer-alb-sg"
11 | description = "Security group rules for ${local.project} ALB"
12 | vpc_id = aws_vpc.this.id
13 |
14 | ingress {
15 | description = "Allow all inbound traffic on the load balancer https listener port"
16 | from_port = 443
17 | to_port = 443
18 | protocol = "tcp"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | ingress {
23 | description = "Allow all inbound traffic on the load balancer http listener port"
24 | from_port = 80
25 | to_port = 80
26 | protocol = "tcp"
27 | cidr_blocks = ["0.0.0.0/0"]
28 | }
29 |
30 | egress {
31 | description = "Allow outbound traffic to instances on the load balancer listener port"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | security_groups = [aws_security_group.ec2.id]
36 | }
37 |
38 | tags = {
39 | Name = "${local.project}-outer-alb-sg"
40 | }
41 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.inner_alb
File: /security_groups.tf:46-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
46 | resource "aws_security_group" "inner_alb" {
47 | name = "${local.project}-inner-alb-sg"
48 | description = "Security group rules for ${local.project} ALB"
49 | vpc_id = aws_vpc.this.id
50 |
51 | ingress {
52 | description = "Allow all inbound traffic on the load balancer http listener port"
53 | from_port = 80
54 | to_port = 80
55 | protocol = "tcp"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | }
58 |
59 | egress {
60 | description = "Allow outbound traffic to instances on the load balancer listener port"
61 | from_port = 80
62 | to_port = 80
63 | protocol = "tcp"
64 | security_groups = [aws_security_group.ec2.id]
65 | }
66 |
67 | tags = {
68 | Name = "${local.project}-inner-alb-sg"
69 | }
70 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.ses_smtp_user
File: /ses.tf:9-11
9 | resource "aws_iam_user" "ses_smtp_user" {
10 | name = "${local.project}-ses-smtp-user"
11 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_user_policy.ses_smtp_user_policy
File: /ses.tf:17-34
17 | resource "aws_iam_user_policy" "ses_smtp_user_policy" {
18 | name = "${local.project}-ses-smtp-user-policy"
19 | user = aws_iam_user.ses_smtp_user.name
20 |
21 | policy = jsonencode({
22 | Version : "2012-10-17",
23 | Statement : [
24 | {
25 | Effect : "Allow",
26 | Action : [
27 | "ses:SendEmail",
28 | "ses:SendRawEmail"
29 | ],
30 | Resource : "*"
31 | }
32 | ]
33 | })
34 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_user_policy.ses_smtp_user_policy
File: /ses.tf:17-34
17 | resource "aws_iam_user_policy" "ses_smtp_user_policy" {
18 | name = "${local.project}-ses-smtp-user-policy"
19 | user = aws_iam_user.ses_smtp_user.name
20 |
21 | policy = jsonencode({
22 | Version : "2012-10-17",
23 | Statement : [
24 | {
25 | Effect : "Allow",
26 | Action : [
27 | "ses:SendEmail",
28 | "ses:SendRawEmail"
29 | ],
30 | Resource : "*"
31 | }
32 | ]
33 | })
34 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.default
File: /sns.tf:9-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
9 | resource "aws_sns_topic" "default" {
10 | name = "${local.project}-email-alerts"
11 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.cloudwatch_agent_config["admin"]
File: /ssm_cwa_config.tf:9-64
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.cloudwatch_agent_config["frontend"]
File: /ssm_cwa_config.tf:9-64
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.cloudwatch_agent_config["varnish"]
File: /ssm_cwa_config.tf:9-64
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.env
File: /ssm_env_variables.tf:9-77
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.this
File: /vpc_network.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "this" {
22 | for_each = data.aws_availability_zone.all
23 | vpc_id = aws_vpc.this.id
24 | availability_zone = each.key
25 | cidr_block = cidrsubnet(aws_vpc.this.cidr_block, 4, var.az_number[each.value.name_suffix])
26 | map_public_ip_on_launch = true
27 | tags = {
28 | Name = "${local.project}-subnet"
29 | }
30 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.this
File: /waf.tf:9-155
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
FAILED for resource: aws_wafv2_web_acl.this
File: /waf.tf:9-155
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this["backup"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this["media"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this["state"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.this["system"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this["backup"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this["media"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this["state"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.this["system"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_59: "Ensure ElasticSearch/OpenSearch has dedicated master node enabled"
FAILED for resource: aws_elasticsearch_domain.this
File: /elasticsearch.tf:23-76
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_52: "Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled"
FAILED for resource: aws_elasticsearch_domain.this
File: /elasticsearch.tf:23-76
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.this
File: /vpc_network.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
9 | resource "aws_vpc" "this" {
10 | cidr_block = var.app["cidr_block"]
11 | instance_tenancy = "default"
12 | enable_dns_support = true
13 | enable_dns_hostnames = true
14 | tags = {
15 | Name = "${var.app["brand"]}-vpc"
16 | }
17 | }
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.this
File: /cloudfront.tf:13-90
Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.inner
File: /alb.tf:73-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
73 | resource "aws_lb_listener" "inner" {
74 | load_balancer_arn = aws_lb.this["inner"].arn
75 | port = "80"
76 | protocol = "HTTP"
77 | default_action {
78 | type = "fixed-response"
79 | fixed_response {
80 | content_type = "text/plain"
81 | message_body = "No targets are responding to this request"
82 | status_code = "502"
83 | }
84 | }
85 | }
Check: CKV2_AWS_42: "Ensure AWS CloudFront distribution uses custom SSL certificate"
FAILED for resource: aws_cloudfront_distribution.this
File: /cloudfront.tf:13-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-cloudfront-distribution-uses-custom-ssl-certificate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.this
File: /alb.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
9 | resource "aws_lb" "this" {
10 | for_each = toset(var.alb["type"])
11 | name = "${local.project}-${each.key}-alb"
12 | internal = (each.key == "inner" ? true : false)
13 | load_balancer_type = "application"
14 | drop_invalid_header_fields = true
15 | security_groups = [(each.key == "inner" ? aws_security_group.inner_alb.id : aws_security_group.outer_alb.id)]
16 | subnets = values(aws_subnet.this).*.id
17 | access_logs {
18 | bucket = aws_s3_bucket.this["system"].bucket
19 | prefix = "ALB"
20 | enabled = true
21 | }
22 | tags = {
23 | Name = "${local.project}-${each.key}-alb"
24 | }
25 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.this
File: /alb.tf:9-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
9 | resource "aws_lb" "this" {
10 | for_each = toset(var.alb["type"])
11 | name = "${local.project}-${each.key}-alb"
12 | internal = (each.key == "inner" ? true : false)
13 | load_balancer_type = "application"
14 | drop_invalid_header_fields = true
15 | security_groups = [(each.key == "inner" ? aws_security_group.inner_alb.id : aws_security_group.outer_alb.id)]
16 | subnets = values(aws_subnet.this).*.id
17 | access_logs {
18 | bucket = aws_s3_bucket.this["system"].bucket
19 | prefix = "ALB"
20 | enabled = true
21 | }
22 | tags = {
23 | Name = "${local.project}-${each.key}-alb"
24 | }
25 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this["backup"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this["media"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this["state"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.this["system"]
File: /s3.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cloudwatch_agent_config["admin"]
File: /ssm_cwa_config.tf:9-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.env
File: /ssm_env_variables.tf:9-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cloudwatch_agent_config["frontend"]
File: /ssm_cwa_config.tf:9-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cloudwatch_agent_config["varnish"]
File: /ssm_cwa_config.tf:9-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_48: "Ensure AWS Config must record all possible resources"
FAILED for resource: aws_config_configuration_recorder.this
File: /aws_config.tf:31-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-config-must-record-all-possible-resources.html
31 | resource "aws_config_configuration_recorder" "this" {
32 | name = "${local.project}-recorder"
33 | role_arn = aws_iam_role.config.arn
34 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this["backup"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this["media"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this["state"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.this["system"]
File: /s3.tf:9-16
9 | resource "aws_s3_bucket" "this" {
10 | for_each = var.s3
11 | bucket = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
12 | force_destroy = true
13 | tags = {
14 | Name = "${local.project}-${random_string.s3[each.key].id}-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_37: "Ensure Codecommit associates an approval rule"
FAILED for resource: aws_codecommit_repository.app
File: /codecommit.tf:9-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codecommit-is-associated-with-an-approval-rule.html
9 | resource "aws_codecommit_repository" "app" {
10 | repository_name = var.app["domain"]
11 | description = "Magento 2.x code for ${local.project}"
12 | tags = {
13 | Name = "${local.project}"
14 | }
15 | provisioner "local-exec" {
16 | interpreter = ["/bin/bash", "-c"]
17 | command = <
Linting
This repository failed the Experience Builder Terraform Module's Linting validation.
This means that a linting tool was not found to be implemented in any of the
CICD tool configuration files in the repository.
There is an opportunity to:
Remediate the findings identified by one of the recommended Terraform linting tools