Repository | nozaq / terraform-aws-secure-baseline |
Description | Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices. |
Stars | 1070 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 376, Failed checks: 44, Skipped checks: 0
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin
File: /examples/external-bucket/main.tf:19-21
19 | resource "aws_iam_user" "admin" {
20 | name = "admin"
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin
File: /examples/organization/master/main.tf:19-21
19 | resource "aws_iam_user" "admin" {
20 | name = "admin"
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin
File: /examples/organization/member/main.tf:19-21
19 | resource "aws_iam_user" "admin" {
20 | name = "admin"
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin
File: /examples/select-region/main.tf:19-21
19 | resource "aws_iam_user" "admin" {
20 | name = "admin"
21 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin
File: /examples/simple/main.tf:19-21
19 | resource "aws_iam_user" "admin" {
20 | name = "admin"
21 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket_lifecycle_configuration.access_log[0]
File: /modules/secure-bucket/main.tf:43-59
Calling File: /bucket.tf:33-46
43 | resource "aws_s3_bucket_lifecycle_configuration" "access_log" {
44 | count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
45 |
46 | bucket = aws_s3_bucket.access_log.id
47 |
48 | rule {
49 | id = "auto-archive"
50 | status = "Enabled"
51 |
52 | filter {}
53 |
54 | transition {
55 | days = var.lifecycle_glacier_transition_days
56 | storage_class = "GLACIER"
57 | }
58 | }
59 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket_lifecycle_configuration.content[0]
File: /modules/secure-bucket/main.tf:112-133
Calling File: /bucket.tf:33-46
112 | resource "aws_s3_bucket_lifecycle_configuration" "content" {
113 | count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
114 |
115 | bucket = aws_s3_bucket.content.id
116 |
117 | rule {
118 | id = "auto-archive"
119 | status = "Enabled"
120 |
121 | filter {}
122 |
123 | transition {
124 | days = var.lifecycle_glacier_transition_days
125 | storage_class = "GLACIER"
126 | }
127 |
128 | noncurrent_version_transition {
129 | noncurrent_days = var.lifecycle_glacier_transition_days
130 | storage_class = "GLACIER"
131 | }
132 | }
133 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.secure_baseline.aws_iam_policy_document.flow_logs_publish_policy
File: /vpc_baselines.tf:37-50
Calling File: /examples/select-region/main.tf:23-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
37 | data "aws_iam_policy_document" "flow_logs_publish_policy" {
38 | count = local.flow_logs_to_cw_logs ? 1 : 0
39 |
40 | statement {
41 | actions = [
42 | "logs:CreateLogGroup",
43 | "logs:CreateLogStream",
44 | "logs:PutLogEvents",
45 | "logs:DescribeLogGroups",
46 | "logs:DescribeLogStreams"
47 | ]
48 | resources = ["*"]
49 | }
50 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.secure_baseline.aws_iam_policy_document.flow_logs_publish_policy
File: /vpc_baselines.tf:37-50
Calling File: /examples/select-region/main.tf:23-59
37 | data "aws_iam_policy_document" "flow_logs_publish_policy" {
38 | count = local.flow_logs_to_cw_logs ? 1 : 0
39 |
40 | statement {
41 | actions = [
42 | "logs:CreateLogGroup",
43 | "logs:CreateLogStream",
44 | "logs:PutLogEvents",
45 | "logs:DescribeLogGroups",
46 | "logs:DescribeLogStreams"
47 | ]
48 | resources = ["*"]
49 | }
50 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.logs
File: /examples/external-bucket/bucket.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "logs" {
2 | bucket = var.audit_s3_bucket_name
3 | force_destroy = true
4 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket.content
File: /modules/secure-bucket/main.tf:78-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
78 | resource "aws_s3_bucket" "content" {
79 | bucket = var.bucket_name
80 | force_destroy = var.force_destroy
81 |
82 | tags = var.tags
83 |
84 | depends_on = [
85 | aws_s3_bucket_public_access_block.access_log
86 | ]
87 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket.content
File: /modules/secure-bucket/main.tf:78-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
78 | resource "aws_s3_bucket" "content" {
79 | bucket = var.bucket_name
80 | force_destroy = var.force_destroy
81 |
82 | tags = var.tags
83 |
84 | depends_on = [
85 | aws_s3_bucket_public_access_block.access_log
86 | ]
87 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.logs
File: /examples/external-bucket/bucket.tf:1-4
1 | resource "aws_s3_bucket" "logs" {
2 | bucket = var.audit_s3_bucket_name
3 | force_destroy = true
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket.content
File: /modules/secure-bucket/main.tf:78-87
78 | resource "aws_s3_bucket" "content" {
79 | bucket = var.bucket_name
80 | force_destroy = var.force_destroy
81 |
82 | tags = var.tags
83 |
84 | depends_on = [
85 | aws_s3_bucket_public_access_block.access_log
86 | ]
87 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket.content
File: /modules/secure-bucket/main.tf:78-87
78 | resource "aws_s3_bucket" "content" {
79 | bucket = var.bucket_name
80 | force_destroy = var.force_destroy
81 |
82 | tags = var.tags
83 |
84 | depends_on = [
85 | aws_s3_bucket_public_access_block.access_log
86 | ]
87 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_ap-northeast-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_ap-northeast-2[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_ap-northeast-3[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_ap-south-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_ap-southeast-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_ap-southeast-2[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_ca-central-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_eu-central-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_eu-north-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_eu-west-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_eu-west-2[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_eu-west-3[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_sa-east-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_us-east-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_us-east-2[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_us-west-1[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: module.secure_baseline.module.guardduty_baseline_us-west-2[0].aws_guardduty_detector.default
File: /modules/guardduty-baseline/main.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
1 | resource "aws_guardduty_detector" "default" {
2 | enable = true
3 | finding_publishing_frequency = var.finding_publishing_frequency
4 |
5 | # datasources can't be individually managed in each member account.
6 | dynamic "datasources" {
7 | for_each = var.master_account_id == "" ? [var.master_account_id] : []
8 |
9 | content {
10 | s3_logs {
11 | enable = true
12 | }
13 | }
14 | }
15 |
16 | tags = var.tags
17 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.logs
File: /examples/external-bucket/bucket.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "logs" {
2 | bucket = var.audit_s3_bucket_name
3 | force_destroy = true
4 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.secure_baseline.module.audit_log_bucket.aws_s3_bucket.content
File: /modules/secure-bucket/main.tf:78-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
78 | resource "aws_s3_bucket" "content" {
79 | bucket = var.bucket_name
80 | force_destroy = var.force_destroy
81 |
82 | tags = var.tags
83 |
84 | depends_on = [
85 | aws_s3_bucket_public_access_block.access_log
86 | ]
87 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket.access_log
File: /modules/secure-bucket/main.tf:21-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
21 | resource "aws_s3_bucket" "access_log" {
22 | bucket = var.log_bucket_name
23 | force_destroy = var.force_destroy
24 |
25 | tags = var.tags
26 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.secure_baseline.module.audit_log_bucket[0].aws_s3_bucket.content
File: /modules/secure-bucket/main.tf:78-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
78 | resource "aws_s3_bucket" "content" {
79 | bucket = var.bucket_name
80 | force_destroy = var.force_destroy
81 |
82 | tags = var.tags
83 |
84 | depends_on = [
85 | aws_s3_bucket_public_access_block.access_log
86 | ]
87 | }
Check: CKV2_AWS_10: "Ensure CloudTrail trails are integrated with CloudWatch Logs"
FAILED for resource: module.secure_baseline.module.cloudtrail_baseline[0].aws_cloudtrail.global
File: /modules/cloudtrail-baseline/main.tf:232-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-cloudtrail-trails-are-integrated-with-cloudwatch-logs.html
232 | resource "aws_cloudtrail" "global" {
233 | name = var.cloudtrail_name
234 | cloud_watch_logs_group_arn = var.cloudwatch_logs_enabled ? "${aws_cloudwatch_log_group.cloudtrail_events[0].arn}:*" : null
235 | cloud_watch_logs_role_arn = var.cloudwatch_logs_enabled ? aws_iam_role.cloudwatch_delivery[0].arn : null
236 | enable_log_file_validation = true
237 | include_global_service_events = true
238 | is_multi_region_trail = true
239 | is_organization_trail = var.is_organization_trail
240 | kms_key_id = aws_kms_key.cloudtrail.arn
241 | s3_bucket_name = var.s3_bucket_name
242 | s3_key_prefix = var.s3_key_prefix
243 | sns_topic_name = var.cloudtrail_sns_topic_enabled ? aws_sns_topic.cloudtrail-sns-topic[0].arn : null
244 |
245 | event_selector {
246 | read_write_type = "All"
247 | include_management_events = true
248 |
249 | data_resource {
250 | type = "AWS::S3::Object"
251 | values = var.s3_object_level_logging_buckets
252 | }
253 | }
254 |
255 | event_selector {
256 | read_write_type = "All"
257 | include_management_events = true
258 |
259 | data_resource {
260 | type = "AWS::DynamoDB::Table"
261 | values = var.dynamodb_event_logging_tables
262 | }
263 |
264 | data_resource {
265 | type = "AWS::Lambda::Function"
266 | values = var.lambda_invocation_logging_lambdas
267 | }
268 | }
269 |
270 | insight_selector {
271 | insight_type = "ApiCallRateInsight"
272 | }
273 |
274 | tags = var.tags
275 |
276 | depends_on = [var.cloudtrail_depends_on]
277 | }
github_actions scan results:
Passed checks: 46, Failed checks: 2, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(CI)
File: /.github/workflows/main.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(release-please)
File: /.github/workflows/release-please.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools