Repository | omerbsezer / Fast-Terraform |
Description | This repo covers Terraform (Infrastructure as Code) with LABs using AWS and AWS Sample Projects: Resources, Variables, Meta Arguments, Provisioners, Dynamic Blocks, Modules, Provisioning AWS Resour… |
Stars | 203 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:34,561 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:~>19.12 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:34,561 [MainThread ] [WARNI] Failed to download module github.com/aws-ia/terraform-aws-eks-blueprints/modules/kubernetes-addons:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:34,561 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>4.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 291, Failed checks: 273, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance
File: /labs/backend-remote-state/main.tf:22-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
22 | resource "aws_instance" "instance" {
23 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
24 | instance_type = "t2.nano"
25 |
26 | tags = {
27 | Name = "Basic Instance"
28 | }
29 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance
File: /labs/backend-remote-state/main.tf:22-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
22 | resource "aws_instance" "instance" {
23 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
24 | instance_type = "t2.nano"
25 |
26 | tags = {
27 | Name = "Basic Instance"
28 | }
29 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance
File: /labs/backend-remote-state/main.tf:22-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
22 | resource "aws_instance" "instance" {
23 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
24 | instance_type = "t2.nano"
25 |
26 | tags = {
27 | Name = "Basic Instance"
28 | }
29 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance
File: /labs/backend-remote-state/main.tf:22-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
22 | resource "aws_instance" "instance" {
23 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
24 | instance_type = "t2.nano"
25 |
26 | tags = {
27 | Name = "Basic Instance"
28 | }
29 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance
File: /labs/basic-resource-ec2-ubuntu/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance
File: /labs/basic-resource-ec2-ubuntu/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance
File: /labs/basic-resource-ec2-ubuntu/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance
File: /labs/basic-resource-ec2-ubuntu/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance
File: /labs/data-sources/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance
File: /labs/data-sources/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance
File: /labs/data-sources/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance
File: /labs/data-sources/main.tf:16-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "instance" {
17 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
18 | instance_type = "t2.nano"
19 |
20 | tags = {
21 | Name = "Basic Instance"
22 | }
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.main
File: /labs/dynamic-blocks/main.tf:70-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
70 | resource "aws_security_group" "main" {
71 | name = "resource_with_dynamic_block"
72 | description = "Allow SSH inbound connections"
73 | vpc_id = aws_vpc.my_vpc.id # todo: update it with data.aws_vpc.main.id
74 |
75 | dynamic "ingress" {
76 | for_each = local.ingress_rules
77 |
78 | content {
79 | description = ingress.value.description
80 | from_port = ingress.value.port
81 | to_port = ingress.value.port
82 | protocol = "tcp"
83 | cidr_blocks = ["0.0.0.0/0"]
84 | }
85 | }
86 |
87 | egress {
88 | from_port = 0
89 | to_port = 0
90 | protocol = "-1"
91 | cidr_blocks = ["0.0.0.0/0"]
92 | }
93 |
94 | tags = {
95 | Name = "AWS security group dynamic block"
96 | }
97 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.main
File: /labs/dynamic-blocks/main.tf:70-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
70 | resource "aws_security_group" "main" {
71 | name = "resource_with_dynamic_block"
72 | description = "Allow SSH inbound connections"
73 | vpc_id = aws_vpc.my_vpc.id # todo: update it with data.aws_vpc.main.id
74 |
75 | dynamic "ingress" {
76 | for_each = local.ingress_rules
77 |
78 | content {
79 | description = ingress.value.description
80 | from_port = ingress.value.port
81 | to_port = ingress.value.port
82 | protocol = "tcp"
83 | cidr_blocks = ["0.0.0.0/0"]
84 | }
85 | }
86 |
87 | egress {
88 | from_port = 0
89 | to_port = 0
90 | protocol = "-1"
91 | cidr_blocks = ["0.0.0.0/0"]
92 | }
93 |
94 | tags = {
95 | Name = "AWS security group dynamic block"
96 | }
97 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.main
File: /labs/dynamic-blocks/main.tf:70-97
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
70 | resource "aws_security_group" "main" {
71 | name = "resource_with_dynamic_block"
72 | description = "Allow SSH inbound connections"
73 | vpc_id = aws_vpc.my_vpc.id # todo: update it with data.aws_vpc.main.id
74 |
75 | dynamic "ingress" {
76 | for_each = local.ingress_rules
77 |
78 | content {
79 | description = ingress.value.description
80 | from_port = ingress.value.port
81 | to_port = ingress.value.port
82 | protocol = "tcp"
83 | cidr_blocks = ["0.0.0.0/0"]
84 | }
85 | }
86 |
87 | egress {
88 | from_port = 0
89 | to_port = 0
90 | protocol = "-1"
91 | cidr_blocks = ["0.0.0.0/0"]
92 | }
93 |
94 | tags = {
95 | Name = "AWS security group dynamic block"
96 | }
97 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/dynamic-blocks/main.tf:99-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
99 | resource "aws_instance" "ubuntu2204" {
100 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
101 | instance_type = "t2.nano"
102 | key_name = "testkey"
103 | vpc_security_group_ids = [aws_security_group.main.id]
104 | subnet_id = aws_subnet.public.id
105 | associate_public_ip_address = true
106 | tags = {
107 | Name = "Ubuntu 22.04"
108 | }
109 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/dynamic-blocks/main.tf:99-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
99 | resource "aws_instance" "ubuntu2204" {
100 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
101 | instance_type = "t2.nano"
102 | key_name = "testkey"
103 | vpc_security_group_ids = [aws_security_group.main.id]
104 | subnet_id = aws_subnet.public.id
105 | associate_public_ip_address = true
106 | tags = {
107 | Name = "Ubuntu 22.04"
108 | }
109 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/dynamic-blocks/main.tf:99-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
99 | resource "aws_instance" "ubuntu2204" {
100 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
101 | instance_type = "t2.nano"
102 | key_name = "testkey"
103 | vpc_security_group_ids = [aws_security_group.main.id]
104 | subnet_id = aws_subnet.public.id
105 | associate_public_ip_address = true
106 | tags = {
107 | Name = "Ubuntu 22.04"
108 | }
109 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.ubuntu2204
File: /labs/dynamic-blocks/main.tf:99-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
99 | resource "aws_instance" "ubuntu2204" {
100 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
101 | instance_type = "t2.nano"
102 | key_name = "testkey"
103 | vpc_security_group_ids = [aws_security_group.main.id]
104 | subnet_id = aws_subnet.public.id
105 | associate_public_ip_address = true
106 | tags = {
107 | Name = "Ubuntu 22.04"
108 | }
109 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/dynamic-blocks/main.tf:99-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
99 | resource "aws_instance" "ubuntu2204" {
100 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
101 | instance_type = "t2.nano"
102 | key_name = "testkey"
103 | vpc_security_group_ids = [aws_security_group.main.id]
104 | subnet_id = aws_subnet.public.id
105 | associate_public_ip_address = true
106 | tags = {
107 | Name = "Ubuntu 22.04"
108 | }
109 | }
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_49: "Ensure no IAM policies documents allow "*" as a statement's actions"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-43.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_1: "Ensure IAM policies that allow full "*-*" administrative privileges are not created"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-23.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.ec2_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:66-72
66 | data "aws_iam_policy_document" "ec2_policy" {
67 | statement {
68 | effect = "Allow"
69 | actions = ["ec2:Describe*"]
70 | resources = ["*"]
71 | }
72 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.user_example[0]
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:95-98
95 | resource "aws_iam_user" "user_example" {
96 | count = length(var.user_names)
97 | name = var.user_names[count.index]
98 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.user_example[1]
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:95-98
95 | resource "aws_iam_user" "user_example" {
96 | count = length(var.user_names)
97 | name = var.user_names[count.index]
98 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.user_example[2]
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:95-98
95 | resource "aws_iam_user" "user_example" {
96 | count = length(var.user_names)
97 | name = var.user_names[count.index]
98 | }
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_49: "Ensure no IAM policies documents allow "*" as a statement's actions"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-43.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_1: "Ensure IAM policies that allow full "*-*" administrative privileges are not created"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-23.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.user_example["username1_admin_dev"]
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:96-99
96 | resource "aws_iam_user" "user_example" {
97 | for_each = var.user_names
98 | name = each.value
99 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.user_example["username2_admin"]
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:96-99
96 | resource "aws_iam_user" "user_example" {
97 | for_each = var.user_names
98 | name = each.value
99 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.user_example["username3_dev_s3"]
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:96-99
96 | resource "aws_iam_user" "user_example" {
97 | for_each = var.user_names
98 | name = each.value
99 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example["user1"]
File: /labs/iamuser-metaargs-count-for-foreach-map/map/main.tf:14-17
14 | resource "aws_iam_user" "example" {
15 | for_each = var.user_names
16 | name = each.value
17 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example["user2"]
File: /labs/iamuser-metaargs-count-for-foreach-map/map/main.tf:14-17
14 | resource "aws_iam_user" "example" {
15 | for_each = var.user_names
16 | name = each.value
17 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.example["user3"]
File: /labs/iamuser-metaargs-count-for-foreach-map/map/main.tf:14-17
14 | resource "aws_iam_user" "example" {
15 | for_each = var.user_names
16 | name = each.value
17 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver-1.aws_security_group.ssg
File: /labs/modules/module1/main.tf:59-93
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
59 | resource "aws_security_group" "ssg" {
60 | name = "module1_security_group" # name should be different on modules
61 | description = "Allow SSH inbound connections"
62 | vpc_id = aws_vpc.my_vpc.id
63 | # for SSH
64 | ingress {
65 | from_port = 22
66 | to_port = 22
67 | protocol = "tcp"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | # for HTTP Apache Server
71 | ingress {
72 | from_port = 80
73 | to_port = 80
74 | protocol = "tcp"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | # for HTTPS Apache Server
78 | ingress {
79 | from_port = 443
80 | to_port = 443
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | egress {
85 | from_port = 0
86 | to_port = 0
87 | protocol = "-1"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 | tags = {
91 | Name = "allow_ssh_sg"
92 | }
93 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.webserver-1.aws_security_group.ssg
File: /labs/modules/module1/main.tf:59-93
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
59 | resource "aws_security_group" "ssg" {
60 | name = "module1_security_group" # name should be different on modules
61 | description = "Allow SSH inbound connections"
62 | vpc_id = aws_vpc.my_vpc.id
63 | # for SSH
64 | ingress {
65 | from_port = 22
66 | to_port = 22
67 | protocol = "tcp"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | # for HTTP Apache Server
71 | ingress {
72 | from_port = 80
73 | to_port = 80
74 | protocol = "tcp"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | # for HTTPS Apache Server
78 | ingress {
79 | from_port = 443
80 | to_port = 443
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | egress {
85 | from_port = 0
86 | to_port = 0
87 | protocol = "-1"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 | tags = {
91 | Name = "allow_ssh_sg"
92 | }
93 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.webserver-1.aws_security_group.ssg
File: /labs/modules/module1/main.tf:59-93
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
59 | resource "aws_security_group" "ssg" {
60 | name = "module1_security_group" # name should be different on modules
61 | description = "Allow SSH inbound connections"
62 | vpc_id = aws_vpc.my_vpc.id
63 | # for SSH
64 | ingress {
65 | from_port = 22
66 | to_port = 22
67 | protocol = "tcp"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | # for HTTP Apache Server
71 | ingress {
72 | from_port = 80
73 | to_port = 80
74 | protocol = "tcp"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | # for HTTPS Apache Server
78 | ingress {
79 | from_port = 443
80 | to_port = 443
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | egress {
85 | from_port = 0
86 | to_port = 0
87 | protocol = "-1"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 | tags = {
91 | Name = "allow_ssh_sg"
92 | }
93 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.webserver-1.aws_instance.ec2
File: /labs/modules/module1/main.tf:95-113
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "!! MODULE-1 !!: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.webserver-1.aws_instance.ec2
File: /labs/modules/module1/main.tf:95-113
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "!! MODULE-1 !!: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.webserver-1.aws_instance.ec2
File: /labs/modules/module1/main.tf:95-113
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "!! MODULE-1 !!: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: module.webserver-1.aws_instance.ec2
File: /labs/modules/module1/main.tf:95-113
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "!! MODULE-1 !!: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.webserver-1.aws_instance.ec2
File: /labs/modules/module1/main.tf:95-113
Calling File: /labs/modules/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "!! MODULE-1 !!: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.webserver-2.aws_security_group.ssg
File: /labs/modules/module2/main.tf:59-93
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
59 | resource "aws_security_group" "ssg" {
60 | name = "module2_security_group" # name should be different on modules
61 | description = "Allow SSH inbound connections"
62 | vpc_id = aws_vpc.my_vpc.id
63 | # for SSH
64 | ingress {
65 | from_port = 22
66 | to_port = 22
67 | protocol = "tcp"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | # for HTTP Apache Server
71 | ingress {
72 | from_port = 80
73 | to_port = 80
74 | protocol = "tcp"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | # for HTTPS Apache Server
78 | ingress {
79 | from_port = 443
80 | to_port = 443
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | egress {
85 | from_port = 0
86 | to_port = 0
87 | protocol = "-1"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 | tags = {
91 | Name = "allow_ssh_sg"
92 | }
93 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.webserver-2.aws_security_group.ssg
File: /labs/modules/module2/main.tf:59-93
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
59 | resource "aws_security_group" "ssg" {
60 | name = "module2_security_group" # name should be different on modules
61 | description = "Allow SSH inbound connections"
62 | vpc_id = aws_vpc.my_vpc.id
63 | # for SSH
64 | ingress {
65 | from_port = 22
66 | to_port = 22
67 | protocol = "tcp"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | # for HTTP Apache Server
71 | ingress {
72 | from_port = 80
73 | to_port = 80
74 | protocol = "tcp"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | # for HTTPS Apache Server
78 | ingress {
79 | from_port = 443
80 | to_port = 443
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | egress {
85 | from_port = 0
86 | to_port = 0
87 | protocol = "-1"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 | tags = {
91 | Name = "allow_ssh_sg"
92 | }
93 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.webserver-2.aws_security_group.ssg
File: /labs/modules/module2/main.tf:59-93
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
59 | resource "aws_security_group" "ssg" {
60 | name = "module2_security_group" # name should be different on modules
61 | description = "Allow SSH inbound connections"
62 | vpc_id = aws_vpc.my_vpc.id
63 | # for SSH
64 | ingress {
65 | from_port = 22
66 | to_port = 22
67 | protocol = "tcp"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 | # for HTTP Apache Server
71 | ingress {
72 | from_port = 80
73 | to_port = 80
74 | protocol = "tcp"
75 | cidr_blocks = ["0.0.0.0/0"]
76 | }
77 | # for HTTPS Apache Server
78 | ingress {
79 | from_port = 443
80 | to_port = 443
81 | protocol = "tcp"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 | egress {
85 | from_port = 0
86 | to_port = 0
87 | protocol = "-1"
88 | cidr_blocks = ["0.0.0.0/0"]
89 | }
90 | tags = {
91 | Name = "allow_ssh_sg"
92 | }
93 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.webserver-2.aws_instance.ec2
File: /labs/modules/module2/main.tf:95-113
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "** MODULE-2 **: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.webserver-2.aws_instance.ec2
File: /labs/modules/module2/main.tf:95-113
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "** MODULE-2 **: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.webserver-2.aws_instance.ec2
File: /labs/modules/module2/main.tf:95-113
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "** MODULE-2 **: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: module.webserver-2.aws_instance.ec2
File: /labs/modules/module2/main.tf:95-113
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "** MODULE-2 **: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.webserver-2.aws_instance.ec2
File: /labs/modules/module2/main.tf:95-113
Calling File: /labs/modules/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "** MODULE-2 **: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.allow_ssh
File: /labs/provisioners-nullresources/main.tf:54-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
54 | resource "aws_security_group" "allow_ssh" {
55 | name = "allow_ssh_sg"
56 | description = "Allow SSH inbound connections"
57 | vpc_id = aws_vpc.my_vpc.id
58 | # for SSH
59 | ingress {
60 | from_port = 22
61 | to_port = 22
62 | protocol = "tcp"
63 | cidr_blocks = ["0.0.0.0/0"]
64 | }
65 | egress {
66 | from_port = 0
67 | to_port = 0
68 | protocol = "-1"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 | tags = {
72 | Name = "allow_ssh_sg"
73 | }
74 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.allow_ssh
File: /labs/provisioners-nullresources/main.tf:54-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
54 | resource "aws_security_group" "allow_ssh" {
55 | name = "allow_ssh_sg"
56 | description = "Allow SSH inbound connections"
57 | vpc_id = aws_vpc.my_vpc.id
58 | # for SSH
59 | ingress {
60 | from_port = 22
61 | to_port = 22
62 | protocol = "tcp"
63 | cidr_blocks = ["0.0.0.0/0"]
64 | }
65 | egress {
66 | from_port = 0
67 | to_port = 0
68 | protocol = "-1"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 | tags = {
72 | Name = "allow_ssh_sg"
73 | }
74 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/provisioners-nullresources/main.tf:76-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
76 | resource "aws_instance" "ubuntu2204" {
77 |
78 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
79 | instance_type = "t2.nano"
80 | key_name = "testkey"
81 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
82 | subnet_id = aws_subnet.public.id
83 | associate_public_ip_address = true
84 |
85 | tags = {
86 | Name = "Ubuntu 22.04"
87 | }
88 |
89 | provisioner "file" {
90 | source = "test-file.txt"
91 | destination = "/home/ubuntu/test-file.txt"
92 | }
93 |
94 | provisioner "file" {
95 | content = "I want to copy this string to the destination file => server.txt (using provisioner file content)"
96 | destination = "/home/ubuntu/server.txt"
97 | }
98 |
99 | provisioner "remote-exec" {
100 | inline = [
101 | "touch hello.txt",
102 | "echo helloworld remote-exec provisioner >> hello.txt",
103 | ]
104 | }
105 |
106 | connection {
107 | type = "ssh"
108 | host = self.public_ip
109 | user = "ubuntu"
110 | private_key = file("testkey.pem")
111 | timeout = "4m"
112 | }
113 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/provisioners-nullresources/main.tf:76-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
76 | resource "aws_instance" "ubuntu2204" {
77 |
78 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
79 | instance_type = "t2.nano"
80 | key_name = "testkey"
81 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
82 | subnet_id = aws_subnet.public.id
83 | associate_public_ip_address = true
84 |
85 | tags = {
86 | Name = "Ubuntu 22.04"
87 | }
88 |
89 | provisioner "file" {
90 | source = "test-file.txt"
91 | destination = "/home/ubuntu/test-file.txt"
92 | }
93 |
94 | provisioner "file" {
95 | content = "I want to copy this string to the destination file => server.txt (using provisioner file content)"
96 | destination = "/home/ubuntu/server.txt"
97 | }
98 |
99 | provisioner "remote-exec" {
100 | inline = [
101 | "touch hello.txt",
102 | "echo helloworld remote-exec provisioner >> hello.txt",
103 | ]
104 | }
105 |
106 | connection {
107 | type = "ssh"
108 | host = self.public_ip
109 | user = "ubuntu"
110 | private_key = file("testkey.pem")
111 | timeout = "4m"
112 | }
113 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/provisioners-nullresources/main.tf:76-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
76 | resource "aws_instance" "ubuntu2204" {
77 |
78 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
79 | instance_type = "t2.nano"
80 | key_name = "testkey"
81 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
82 | subnet_id = aws_subnet.public.id
83 | associate_public_ip_address = true
84 |
85 | tags = {
86 | Name = "Ubuntu 22.04"
87 | }
88 |
89 | provisioner "file" {
90 | source = "test-file.txt"
91 | destination = "/home/ubuntu/test-file.txt"
92 | }
93 |
94 | provisioner "file" {
95 | content = "I want to copy this string to the destination file => server.txt (using provisioner file content)"
96 | destination = "/home/ubuntu/server.txt"
97 | }
98 |
99 | provisioner "remote-exec" {
100 | inline = [
101 | "touch hello.txt",
102 | "echo helloworld remote-exec provisioner >> hello.txt",
103 | ]
104 | }
105 |
106 | connection {
107 | type = "ssh"
108 | host = self.public_ip
109 | user = "ubuntu"
110 | private_key = file("testkey.pem")
111 | timeout = "4m"
112 | }
113 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.ubuntu2204
File: /labs/provisioners-nullresources/main.tf:76-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
76 | resource "aws_instance" "ubuntu2204" {
77 |
78 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
79 | instance_type = "t2.nano"
80 | key_name = "testkey"
81 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
82 | subnet_id = aws_subnet.public.id
83 | associate_public_ip_address = true
84 |
85 | tags = {
86 | Name = "Ubuntu 22.04"
87 | }
88 |
89 | provisioner "file" {
90 | source = "test-file.txt"
91 | destination = "/home/ubuntu/test-file.txt"
92 | }
93 |
94 | provisioner "file" {
95 | content = "I want to copy this string to the destination file => server.txt (using provisioner file content)"
96 | destination = "/home/ubuntu/server.txt"
97 | }
98 |
99 | provisioner "remote-exec" {
100 | inline = [
101 | "touch hello.txt",
102 | "echo helloworld remote-exec provisioner >> hello.txt",
103 | ]
104 | }
105 |
106 | connection {
107 | type = "ssh"
108 | host = self.public_ip
109 | user = "ubuntu"
110 | private_key = file("testkey.pem")
111 | timeout = "4m"
112 | }
113 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/provisioners-nullresources/main.tf:76-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
76 | resource "aws_instance" "ubuntu2204" {
77 |
78 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
79 | instance_type = "t2.nano"
80 | key_name = "testkey"
81 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
82 | subnet_id = aws_subnet.public.id
83 | associate_public_ip_address = true
84 |
85 | tags = {
86 | Name = "Ubuntu 22.04"
87 | }
88 |
89 | provisioner "file" {
90 | source = "test-file.txt"
91 | destination = "/home/ubuntu/test-file.txt"
92 | }
93 |
94 | provisioner "file" {
95 | content = "I want to copy this string to the destination file => server.txt (using provisioner file content)"
96 | destination = "/home/ubuntu/server.txt"
97 | }
98 |
99 | provisioner "remote-exec" {
100 | inline = [
101 | "touch hello.txt",
102 | "echo helloworld remote-exec provisioner >> hello.txt",
103 | ]
104 | }
105 |
106 | connection {
107 | type = "ssh"
108 | host = self.public_ip
109 | user = "ubuntu"
110 | private_key = file("testkey.pem")
111 | timeout = "4m"
112 | }
113 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.newuser
File: /labs/template/main.tf:16-18
16 | resource "aws_iam_user" "newuser" {
17 | name = "New-User" # must only contain alphanumeric characters, hyphens, underscores, commas, periods, @ symbols, plus and equals signs
18 | }
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.instanceManageUser_assume_role
File: /labs/template/main.tf:23-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
23 | resource "aws_iam_user_policy" "instanceManageUser_assume_role" {
24 | name = "EC2-S3-Lambda-DynamoDb-Policy"
25 | user = "${aws_iam_user.newuser.name}"
26 | policy = templatefile("${path.module}/policy.tftpl", {
27 | ec2_policies = [
28 | "ec2:RunInstances",
29 | "ec2:StopInstances",
30 | "ec2:StartInstances",
31 | "ec2:TerminateInstances",
32 | "ec2:TerminateInstances",
33 | "ec2:Describe*",
34 | "ec2:CreateTags",
35 | "ec2:RequestSpotInstances"
36 | ],
37 | s3_policies = [
38 | "s3:Get*",
39 | "s3:List*",
40 | "s3:Describe*",
41 | "s3-object-lambda:Get*",
42 | "s3-object-lambda:List*"
43 | ],
44 | lambda_policies = [
45 | "lambda:Create*",
46 | "lambda:List*",
47 | "lambda:Delete*",
48 | "lambda:Get*"
49 | ],
50 | dynamodb_policies = [
51 | "dynamodb:Describe*",
52 | "dynamodb:Update*",
53 | "dynamodb:Get*",
54 | "dynamodb:List*",
55 | "dynamodb:BatchGetItem",
56 | "dynamodb:Query",
57 | "dynamodb:Scan",
58 | "dynamodb:PartiQLSelect"
59 | ],
60 | })
61 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2_example
File: /labs/variables-locals-output/main.tf:59-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
59 | resource "aws_instance" "ec2_example" {
60 |
61 | ami = var.ami
62 | instance_type = var.instance_type
63 | subnet_id = aws_subnet.my_subnet.id
64 | associate_public_ip_address = true
65 |
66 | tags = {
67 | Name = var.tag
68 | }
69 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_example
File: /labs/variables-locals-output/main.tf:59-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
59 | resource "aws_instance" "ec2_example" {
60 |
61 | ami = var.ami
62 | instance_type = var.instance_type
63 | subnet_id = aws_subnet.my_subnet.id
64 | associate_public_ip_address = true
65 |
66 | tags = {
67 | Name = var.tag
68 | }
69 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_example
File: /labs/variables-locals-output/main.tf:59-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
59 | resource "aws_instance" "ec2_example" {
60 |
61 | ami = var.ami
62 | instance_type = var.instance_type
63 | subnet_id = aws_subnet.my_subnet.id
64 | associate_public_ip_address = true
65 |
66 | tags = {
67 | Name = var.tag
68 | }
69 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.ec2_example
File: /labs/variables-locals-output/main.tf:59-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
59 | resource "aws_instance" "ec2_example" {
60 |
61 | ami = var.ami
62 | instance_type = var.instance_type
63 | subnet_id = aws_subnet.my_subnet.id
64 | associate_public_ip_address = true
65 |
66 | tags = {
67 | Name = var.tag
68 | }
69 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_example
File: /labs/variables-locals-output/main.tf:59-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
59 | resource "aws_instance" "ec2_example" {
60 |
61 | ami = var.ami
62 | instance_type = var.instance_type
63 | subnet_id = aws_subnet.my_subnet.id
64 | associate_public_ip_address = true
65 |
66 | tags = {
67 | Name = var.tag
68 | }
69 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance
File: /labs/workspace/main.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
20 | resource "aws_instance" "instance" {
21 | ami = var.ami
22 | instance_type = var.instance_type
23 |
24 | tags = {
25 | Name = local.tag
26 | }
27 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance
File: /labs/workspace/main.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
20 | resource "aws_instance" "instance" {
21 | ami = var.ami
22 | instance_type = var.instance_type
23 |
24 | tags = {
25 | Name = local.tag
26 | }
27 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance
File: /labs/workspace/main.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
20 | resource "aws_instance" "instance" {
21 | ami = var.ami
22 | instance_type = var.instance_type
23 |
24 | tags = {
25 | Name = local.tag
26 | }
27 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance
File: /labs/workspace/main.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
20 | resource "aws_instance" "instance" {
21 | ami = var.ami
22 | instance_type = var.instance_type
23 |
24 | tags = {
25 | Name = local.tag
26 | }
27 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.main
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
52 | resource "aws_lambda_function" "main" {
53 | function_name = "${var.env_namespace}_lambda"
54 | image_uri = "${var.ecr_repo_url}:latest"
55 | package_type = "Image"
56 | role = aws_iam_role.iam_for_lambda.arn
57 | source_code_hash = data.aws_ecr_image.lambda_image_latest.id
58 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.main
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/main.tf:52-58
52 | resource "aws_lambda_function" "main" {
53 | function_name = "${var.env_namespace}_lambda"
54 | image_uri = "${var.ecr_repo_url}:latest"
55 | package_type = "Image"
56 | role = aws_iam_role.iam_for_lambda.arn
57 | source_code_hash = data.aws_ecr_image.lambda_image_latest.id
58 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.main
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
52 | resource "aws_lambda_function" "main" {
53 | function_name = "${var.env_namespace}_lambda"
54 | image_uri = "${var.ecr_repo_url}:latest"
55 | package_type = "Image"
56 | role = aws_iam_role.iam_for_lambda.arn
57 | source_code_hash = data.aws_ecr_image.lambda_image_latest.id
58 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.main
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
52 | resource "aws_lambda_function" "main" {
53 | function_name = "${var.env_namespace}_lambda"
54 | image_uri = "${var.ecr_repo_url}:latest"
55 | package_type = "Image"
56 | role = aws_iam_role.iam_for_lambda.arn
57 | source_code_hash = data.aws_ecr_image.lambda_image_latest.id
58 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.main
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/main.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
52 | resource "aws_lambda_function" "main" {
53 | function_name = "${var.env_namespace}_lambda"
54 | image_uri = "${var.ecr_repo_url}:latest"
55 | package_type = "Image"
56 | role = aws_iam_role.iam_for_lambda.arn
57 | source_code_hash = data.aws_ecr_image.lambda_image_latest.id
58 | }
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.codepipeline.aws_codebuild_project.project[0]
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:21-59
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
21 | resource "aws_codebuild_project" "project" {
22 | count = length(local.projects)
23 | name = "${var.env_namespace}_${local.projects[count.index]}"
24 | #name = "${var.org}_${var.name}_${var.attribute}_${var.env["dev"]}_codebuild_docker_build"
25 | build_timeout = "5" #The default is 60 minutes.
26 | service_role = aws_iam_role.lambda_codebuild_role.arn
27 | artifacts {
28 | type = "CODEPIPELINE"
29 | }
30 | environment {
31 | compute_type = var.codebuild_compute_type
32 | image = var.codebuild_image
33 | type = var.codebuild_type
34 | #compute_type = "BUILD_GENERAL1_MEDIUM"
35 | #image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
36 | #type = "LINUX_CONTAINER"
37 | image_pull_credentials_type = "CODEBUILD"
38 | privileged_mode = true
39 |
40 | dynamic "environment_variable" {
41 | for_each = var.build_args
42 | content {
43 | name = environment_variable.value.name
44 | value = environment_variable.value.value
45 | }
46 | }
47 | }
48 | source {
49 | type = "CODEPIPELINE"
50 | buildspec = file("${path.module}/templates/buildspec_${local.projects[count.index]}.yml")
51 | #buildspec = file("${path.module}/stage1-buildspec.yml")
52 | }
53 |
54 | source_version = "master"
55 |
56 | tags = {
57 | env = var.env_namespace
58 | }
59 | }
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: module.codepipeline.aws_codebuild_project.project[0]
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:21-59
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
21 | resource "aws_codebuild_project" "project" {
22 | count = length(local.projects)
23 | name = "${var.env_namespace}_${local.projects[count.index]}"
24 | #name = "${var.org}_${var.name}_${var.attribute}_${var.env["dev"]}_codebuild_docker_build"
25 | build_timeout = "5" #The default is 60 minutes.
26 | service_role = aws_iam_role.lambda_codebuild_role.arn
27 | artifacts {
28 | type = "CODEPIPELINE"
29 | }
30 | environment {
31 | compute_type = var.codebuild_compute_type
32 | image = var.codebuild_image
33 | type = var.codebuild_type
34 | #compute_type = "BUILD_GENERAL1_MEDIUM"
35 | #image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
36 | #type = "LINUX_CONTAINER"
37 | image_pull_credentials_type = "CODEBUILD"
38 | privileged_mode = true
39 |
40 | dynamic "environment_variable" {
41 | for_each = var.build_args
42 | content {
43 | name = environment_variable.value.name
44 | value = environment_variable.value.value
45 | }
46 | }
47 | }
48 | source {
49 | type = "CODEPIPELINE"
50 | buildspec = file("${path.module}/templates/buildspec_${local.projects[count.index]}.yml")
51 | #buildspec = file("${path.module}/stage1-buildspec.yml")
52 | }
53 |
54 | source_version = "master"
55 |
56 | tags = {
57 | env = var.env_namespace
58 | }
59 | }
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.codepipeline.aws_codebuild_project.project[0]
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:21-59
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
21 | resource "aws_codebuild_project" "project" {
22 | count = length(local.projects)
23 | name = "${var.env_namespace}_${local.projects[count.index]}"
24 | #name = "${var.org}_${var.name}_${var.attribute}_${var.env["dev"]}_codebuild_docker_build"
25 | build_timeout = "5" #The default is 60 minutes.
26 | service_role = aws_iam_role.lambda_codebuild_role.arn
27 | artifacts {
28 | type = "CODEPIPELINE"
29 | }
30 | environment {
31 | compute_type = var.codebuild_compute_type
32 | image = var.codebuild_image
33 | type = var.codebuild_type
34 | #compute_type = "BUILD_GENERAL1_MEDIUM"
35 | #image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
36 | #type = "LINUX_CONTAINER"
37 | image_pull_credentials_type = "CODEBUILD"
38 | privileged_mode = true
39 |
40 | dynamic "environment_variable" {
41 | for_each = var.build_args
42 | content {
43 | name = environment_variable.value.name
44 | value = environment_variable.value.value
45 | }
46 | }
47 | }
48 | source {
49 | type = "CODEPIPELINE"
50 | buildspec = file("${path.module}/templates/buildspec_${local.projects[count.index]}.yml")
51 | #buildspec = file("${path.module}/stage1-buildspec.yml")
52 | }
53 |
54 | source_version = "master"
55 |
56 | tags = {
57 | env = var.env_namespace
58 | }
59 | }
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: module.codepipeline.aws_codepipeline.codepipeline
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:61-126
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.codepipeline.aws_codebuild_project.project[1]
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:21-59
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
21 | resource "aws_codebuild_project" "project" {
22 | count = length(local.projects)
23 | name = "${var.env_namespace}_${local.projects[count.index]}"
24 | #name = "${var.org}_${var.name}_${var.attribute}_${var.env["dev"]}_codebuild_docker_build"
25 | build_timeout = "5" #The default is 60 minutes.
26 | service_role = aws_iam_role.lambda_codebuild_role.arn
27 | artifacts {
28 | type = "CODEPIPELINE"
29 | }
30 | environment {
31 | compute_type = var.codebuild_compute_type
32 | image = var.codebuild_image
33 | type = var.codebuild_type
34 | #compute_type = "BUILD_GENERAL1_MEDIUM"
35 | #image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
36 | #type = "LINUX_CONTAINER"
37 | image_pull_credentials_type = "CODEBUILD"
38 | privileged_mode = true
39 |
40 | dynamic "environment_variable" {
41 | for_each = var.build_args
42 | content {
43 | name = environment_variable.value.name
44 | value = environment_variable.value.value
45 | }
46 | }
47 | }
48 | source {
49 | type = "CODEPIPELINE"
50 | buildspec = file("${path.module}/templates/buildspec_${local.projects[count.index]}.yml")
51 | #buildspec = file("${path.module}/stage1-buildspec.yml")
52 | }
53 |
54 | source_version = "master"
55 |
56 | tags = {
57 | env = var.env_namespace
58 | }
59 | }
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: module.codepipeline.aws_codebuild_project.project[1]
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:21-59
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
21 | resource "aws_codebuild_project" "project" {
22 | count = length(local.projects)
23 | name = "${var.env_namespace}_${local.projects[count.index]}"
24 | #name = "${var.org}_${var.name}_${var.attribute}_${var.env["dev"]}_codebuild_docker_build"
25 | build_timeout = "5" #The default is 60 minutes.
26 | service_role = aws_iam_role.lambda_codebuild_role.arn
27 | artifacts {
28 | type = "CODEPIPELINE"
29 | }
30 | environment {
31 | compute_type = var.codebuild_compute_type
32 | image = var.codebuild_image
33 | type = var.codebuild_type
34 | #compute_type = "BUILD_GENERAL1_MEDIUM"
35 | #image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
36 | #type = "LINUX_CONTAINER"
37 | image_pull_credentials_type = "CODEBUILD"
38 | privileged_mode = true
39 |
40 | dynamic "environment_variable" {
41 | for_each = var.build_args
42 | content {
43 | name = environment_variable.value.name
44 | value = environment_variable.value.value
45 | }
46 | }
47 | }
48 | source {
49 | type = "CODEPIPELINE"
50 | buildspec = file("${path.module}/templates/buildspec_${local.projects[count.index]}.yml")
51 | #buildspec = file("${path.module}/stage1-buildspec.yml")
52 | }
53 |
54 | source_version = "master"
55 |
56 | tags = {
57 | env = var.env_namespace
58 | }
59 | }
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.codepipeline.aws_codebuild_project.project[1]
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:21-59
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
21 | resource "aws_codebuild_project" "project" {
22 | count = length(local.projects)
23 | name = "${var.env_namespace}_${local.projects[count.index]}"
24 | #name = "${var.org}_${var.name}_${var.attribute}_${var.env["dev"]}_codebuild_docker_build"
25 | build_timeout = "5" #The default is 60 minutes.
26 | service_role = aws_iam_role.lambda_codebuild_role.arn
27 | artifacts {
28 | type = "CODEPIPELINE"
29 | }
30 | environment {
31 | compute_type = var.codebuild_compute_type
32 | image = var.codebuild_image
33 | type = var.codebuild_type
34 | #compute_type = "BUILD_GENERAL1_MEDIUM"
35 | #image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
36 | #type = "LINUX_CONTAINER"
37 | image_pull_credentials_type = "CODEBUILD"
38 | privileged_mode = true
39 |
40 | dynamic "environment_variable" {
41 | for_each = var.build_args
42 | content {
43 | name = environment_variable.value.name
44 | value = environment_variable.value.value
45 | }
46 | }
47 | }
48 | source {
49 | type = "CODEPIPELINE"
50 | buildspec = file("${path.module}/templates/buildspec_${local.projects[count.index]}.yml")
51 | #buildspec = file("${path.module}/stage1-buildspec.yml")
52 | }
53 |
54 | source_version = "master"
55 |
56 | tags = {
57 | env = var.env_namespace
58 | }
59 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.codepipeline.aws_iam_role_policy.lambda_codepipeline_policy
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/roles.tf:20-52
Calling File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/main.tf:8-41
20 | resource "aws_iam_role_policy" "lambda_codepipeline_policy" {
21 | name = "${var.env_namespace}_codepipeline_policy"
22 | role = aws_iam_role.lambda_codepipeline_role.id
23 |
24 | policy = <Deployed via Terraform from $(hostname -f)" | sudo tee /var/www/html/index.html
111 | EOF
112 | tags = {
113 | Name = "Ubuntu 20.04"
114 | }
115 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
97 | resource "aws_instance" "ubuntu2004" {
98 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
99 | instance_type = "t2.nano"
100 | key_name = "testkey"
101 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
102 | subnet_id = aws_subnet.public.id
103 | associate_public_ip_address = true
104 | user_data = <<-EOF
105 | #! /bin/bash
106 | sudo apt-get update
107 | sudo apt-get install -y apache2
108 | sudo systemctl start apache2
109 | sudo systemctl enable apache2
110 | echo "Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
111 | EOF
112 | tags = {
113 | Name = "Ubuntu 20.04"
114 | }
115 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
97 | resource "aws_instance" "ubuntu2004" {
98 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
99 | instance_type = "t2.nano"
100 | key_name = "testkey"
101 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
102 | subnet_id = aws_subnet.public.id
103 | associate_public_ip_address = true
104 | user_data = <<-EOF
105 | #! /bin/bash
106 | sudo apt-get update
107 | sudo apt-get install -y apache2
108 | sudo systemctl start apache2
109 | sudo systemctl enable apache2
110 | echo "Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
111 | EOF
112 | tags = {
113 | Name = "Ubuntu 20.04"
114 | }
115 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.ubuntu2004
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
97 | resource "aws_instance" "ubuntu2004" {
98 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
99 | instance_type = "t2.nano"
100 | key_name = "testkey"
101 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
102 | subnet_id = aws_subnet.public.id
103 | associate_public_ip_address = true
104 | user_data = <<-EOF
105 | #! /bin/bash
106 | sudo apt-get update
107 | sudo apt-get install -y apache2
108 | sudo systemctl start apache2
109 | sudo systemctl enable apache2
110 | echo "Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
111 | EOF
112 | tags = {
113 | Name = "Ubuntu 20.04"
114 | }
115 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
97 | resource "aws_instance" "ubuntu2004" {
98 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
99 | instance_type = "t2.nano"
100 | key_name = "testkey"
101 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
102 | subnet_id = aws_subnet.public.id
103 | associate_public_ip_address = true
104 | user_data = <<-EOF
105 | #! /bin/bash
106 | sudo apt-get update
107 | sudo apt-get install -y apache2
108 | sudo systemctl start apache2
109 | sudo systemctl enable apache2
110 | echo "Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
111 | EOF
112 | tags = {
113 | Name = "Ubuntu 20.04"
114 | }
115 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.win2019
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:117-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
117 | resource "aws_instance" "win2019" {
118 | ami = "ami-02c2da541ae36c6fc" # Windows 2019 Server eu-central-1 Frankfurt
119 | instance_type = "t2.micro"
120 | key_name = "testkey"
121 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
122 | subnet_id = aws_subnet.public.id
123 | associate_public_ip_address = true
124 | tags = {
125 | Name = "Win 2019 Server"
126 | }
127 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.win2019
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:117-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
117 | resource "aws_instance" "win2019" {
118 | ami = "ami-02c2da541ae36c6fc" # Windows 2019 Server eu-central-1 Frankfurt
119 | instance_type = "t2.micro"
120 | key_name = "testkey"
121 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
122 | subnet_id = aws_subnet.public.id
123 | associate_public_ip_address = true
124 | tags = {
125 | Name = "Win 2019 Server"
126 | }
127 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.win2019
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:117-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
117 | resource "aws_instance" "win2019" {
118 | ami = "ami-02c2da541ae36c6fc" # Windows 2019 Server eu-central-1 Frankfurt
119 | instance_type = "t2.micro"
120 | key_name = "testkey"
121 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
122 | subnet_id = aws_subnet.public.id
123 | associate_public_ip_address = true
124 | tags = {
125 | Name = "Win 2019 Server"
126 | }
127 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.win2019
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:117-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
117 | resource "aws_instance" "win2019" {
118 | ami = "ami-02c2da541ae36c6fc" # Windows 2019 Server eu-central-1 Frankfurt
119 | instance_type = "t2.micro"
120 | key_name = "testkey"
121 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
122 | subnet_id = aws_subnet.public.id
123 | associate_public_ip_address = true
124 | tags = {
125 | Name = "Win 2019 Server"
126 | }
127 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.win2019
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:117-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
117 | resource "aws_instance" "win2019" {
118 | ami = "ami-02c2da541ae36c6fc" # Windows 2019 Server eu-central-1 Frankfurt
119 | instance_type = "t2.micro"
120 | key_name = "testkey"
121 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
122 | subnet_id = aws_subnet.public.id
123 | associate_public_ip_address = true
124 | tags = {
125 | Name = "Win 2019 Server"
126 | }
127 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: aws_ecs_cluster.my_cluster
File: /samples/ecr-ecs-elb-vpc-ecsservice-container/2_ecs.tf:7-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
7 | resource "aws_ecs_cluster" "my_cluster" {
8 | name = "my-cluster" # Naming the cluster
9 | }
Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
FAILED for resource: aws_ecs_task_definition.flask_app_task
File: /samples/ecr-ecs-elb-vpc-ecsservice-container/2_ecs.tf:12-36
12 | resource "aws_ecs_task_definition" "flask_app_task" {
13 | family = "flask-app-task"
14 | container_definitions = < /dev/null
129 | sudo apt-get update
130 | sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
131 | sudo docker run hello-world
132 | curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
133 | sudo apt-get install gitlab-runner
134 | EOF
135 | tags = {
136 | Name = "Ubuntu 20.04"
137 | }
138 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/gitlabserver-on-premise-runner-on-EC2/main.tf:111-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
111 | resource "aws_instance" "ubuntu2004" {
112 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
113 | instance_type = "t2.micro"
114 | key_name = "testkey"
115 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
116 | subnet_id = aws_subnet.public.id
117 | associate_public_ip_address = true
118 | user_data = <<-EOF
119 | #! /bin/bash
120 | sudo apt-get update
121 | sudo apt-get install ca-certificates curl gnupg -y
122 | sudo install -m 0755 -d /etc/apt/keyrings
123 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
124 | sudo chmod a+r /etc/apt/keyrings/docker.gpg
125 | echo \
126 | "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
127 | "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
128 | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
129 | sudo apt-get update
130 | sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
131 | sudo docker run hello-world
132 | curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
133 | sudo apt-get install gitlab-runner
134 | EOF
135 | tags = {
136 | Name = "Ubuntu 20.04"
137 | }
138 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/gitlabserver-on-premise-runner-on-EC2/main.tf:111-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
111 | resource "aws_instance" "ubuntu2004" {
112 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
113 | instance_type = "t2.micro"
114 | key_name = "testkey"
115 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
116 | subnet_id = aws_subnet.public.id
117 | associate_public_ip_address = true
118 | user_data = <<-EOF
119 | #! /bin/bash
120 | sudo apt-get update
121 | sudo apt-get install ca-certificates curl gnupg -y
122 | sudo install -m 0755 -d /etc/apt/keyrings
123 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
124 | sudo chmod a+r /etc/apt/keyrings/docker.gpg
125 | echo \
126 | "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
127 | "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
128 | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
129 | sudo apt-get update
130 | sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
131 | sudo docker run hello-world
132 | curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
133 | sudo apt-get install gitlab-runner
134 | EOF
135 | tags = {
136 | Name = "Ubuntu 20.04"
137 | }
138 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.ubuntu2004
File: /samples/gitlabserver-on-premise-runner-on-EC2/main.tf:111-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
111 | resource "aws_instance" "ubuntu2004" {
112 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
113 | instance_type = "t2.micro"
114 | key_name = "testkey"
115 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
116 | subnet_id = aws_subnet.public.id
117 | associate_public_ip_address = true
118 | user_data = <<-EOF
119 | #! /bin/bash
120 | sudo apt-get update
121 | sudo apt-get install ca-certificates curl gnupg -y
122 | sudo install -m 0755 -d /etc/apt/keyrings
123 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
124 | sudo chmod a+r /etc/apt/keyrings/docker.gpg
125 | echo \
126 | "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
127 | "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
128 | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
129 | sudo apt-get update
130 | sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
131 | sudo docker run hello-world
132 | curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
133 | sudo apt-get install gitlab-runner
134 | EOF
135 | tags = {
136 | Name = "Ubuntu 20.04"
137 | }
138 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/gitlabserver-on-premise-runner-on-EC2/main.tf:111-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
111 | resource "aws_instance" "ubuntu2004" {
112 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
113 | instance_type = "t2.micro"
114 | key_name = "testkey"
115 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
116 | subnet_id = aws_subnet.public.id
117 | associate_public_ip_address = true
118 | user_data = <<-EOF
119 | #! /bin/bash
120 | sudo apt-get update
121 | sudo apt-get install ca-certificates curl gnupg -y
122 | sudo install -m 0755 -d /etc/apt/keyrings
123 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
124 | sudo chmod a+r /etc/apt/keyrings/docker.gpg
125 | echo \
126 | "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
127 | "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
128 | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
129 | sudo apt-get update
130 | sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
131 | sudo docker run hello-world
132 | curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
133 | sudo apt-get install gitlab-runner
134 | EOF
135 | tags = {
136 | Name = "Ubuntu 20.04"
137 | }
138 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-container-apigateway-flaskapp/1_lambda.tf:67-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
67 | resource "aws_lambda_function" "lambda_function" {
68 | function_name = "Lambda-Function"
69 | role = aws_iam_role.lambda_role.arn
70 | # tag is required, "source image ... is not valid" error will pop up
71 | image_uri = "${data.aws_ecr_repository.flask_app_serverless.repository_url}:latest"
72 | package_type = "Image"
73 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
74 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-container-apigateway-flaskapp/1_lambda.tf:67-74
67 | resource "aws_lambda_function" "lambda_function" {
68 | function_name = "Lambda-Function"
69 | role = aws_iam_role.lambda_role.arn
70 | # tag is required, "source image ... is not valid" error will pop up
71 | image_uri = "${data.aws_ecr_repository.flask_app_serverless.repository_url}:latest"
72 | package_type = "Image"
73 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
74 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-container-apigateway-flaskapp/1_lambda.tf:67-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
67 | resource "aws_lambda_function" "lambda_function" {
68 | function_name = "Lambda-Function"
69 | role = aws_iam_role.lambda_role.arn
70 | # tag is required, "source image ... is not valid" error will pop up
71 | image_uri = "${data.aws_ecr_repository.flask_app_serverless.repository_url}:latest"
72 | package_type = "Image"
73 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
74 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-container-apigateway-flaskapp/1_lambda.tf:67-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
67 | resource "aws_lambda_function" "lambda_function" {
68 | function_name = "Lambda-Function"
69 | role = aws_iam_role.lambda_role.arn
70 | # tag is required, "source image ... is not valid" error will pop up
71 | image_uri = "${data.aws_ecr_repository.flask_app_serverless.repository_url}:latest"
72 | package_type = "Image"
73 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
74 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-container-apigateway-flaskapp/1_lambda.tf:67-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
67 | resource "aws_lambda_function" "lambda_function" {
68 | function_name = "Lambda-Function"
69 | role = aws_iam_role.lambda_role.arn
70 | # tag is required, "source image ... is not valid" error will pop up
71 | image_uri = "${data.aws_ecr_repository.flask_app_serverless.repository_url}:latest"
72 | package_type = "Image"
73 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
74 | }
Check: CKV_AWS_237: "Ensure Create before destroy for API GATEWAY"
FAILED for resource: aws_api_gateway_rest_api.example
File: /samples/lambda-container-apigateway-flaskapp/2_api_gateway.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-enables-create-before-destroy.html
2 | resource "aws_api_gateway_rest_api" "example" {
3 | name = "Serverless"
4 | description = "Serverless Application using Terraform"
5 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.proxy
File: /samples/lambda-container-apigateway-flaskapp/2_api_gateway.tf:13-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
13 | resource "aws_api_gateway_method" "proxy" {
14 | rest_api_id = aws_api_gateway_rest_api.example.id
15 | resource_id = aws_api_gateway_resource.proxy.id
16 | http_method = "ANY" # with ANY, it allows any request method to be used, all incoming requests will match this resource
17 | authorization = "NONE"
18 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.proxy_root
File: /samples/lambda-container-apigateway-flaskapp/2_api_gateway.tf:32-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
32 | resource "aws_api_gateway_method" "proxy_root" {
33 | rest_api_id = aws_api_gateway_rest_api.example.id
34 | resource_id = aws_api_gateway_rest_api.example.root_resource_id
35 | http_method = "ANY"
36 | authorization = "NONE"
37 | }
Check: CKV_AWS_217: "Ensure Create before destroy for API deployments"
FAILED for resource: aws_api_gateway_deployment.example
File: /samples/lambda-container-apigateway-flaskapp/2_api_gateway.tf:49-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-deployments-enable-create-before-destroy.html
49 | resource "aws_api_gateway_deployment" "example" {
50 | depends_on = [
51 | aws_api_gateway_integration.lambda,
52 | aws_api_gateway_integration.lambda_root,
53 | ]
54 | rest_api_id = aws_api_gateway_rest_api.example.id
55 | stage_name = "test"
56 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: aws_ecr_repository.flask_app_serverless
File: /samples/lambda-container-apigateway-flaskapp/ecr/0_ecr.tf:12-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
12 | resource "aws_ecr_repository" "flask_app_serverless" {
13 | name = "flask-app-serverless"
14 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: aws_ecr_repository.flask_app_serverless
File: /samples/lambda-container-apigateway-flaskapp/ecr/0_ecr.tf:12-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
12 | resource "aws_ecr_repository" "flask_app_serverless" {
13 | name = "flask-app-serverless"
14 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: aws_ecr_repository.flask_app_serverless
File: /samples/lambda-container-apigateway-flaskapp/ecr/0_ecr.tf:12-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
12 | resource "aws_ecr_repository" "flask_app_serverless" {
13 | name = "flask-app-serverless"
14 | }
Check: CKV_AWS_237: "Ensure Create before destroy for API GATEWAY"
FAILED for resource: aws_api_gateway_rest_api.example
File: /samples/lambda-role-policy-apigateway-python/api-gateway.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-enables-create-before-destroy.html
2 | resource "aws_api_gateway_rest_api" "example" {
3 | name = "Serverless"
4 | description = "Serverless Application using Terraform"
5 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.proxy
File: /samples/lambda-role-policy-apigateway-python/api-gateway.tf:13-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
13 | resource "aws_api_gateway_method" "proxy" {
14 | rest_api_id = aws_api_gateway_rest_api.example.id
15 | resource_id = aws_api_gateway_resource.proxy.id
16 | http_method = "ANY" # with ANY, it allows any request method to be used, all incoming requests will match this resource
17 | authorization = "NONE"
18 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: aws_api_gateway_method.proxy_root
File: /samples/lambda-role-policy-apigateway-python/api-gateway.tf:32-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set.html
32 | resource "aws_api_gateway_method" "proxy_root" {
33 | rest_api_id = aws_api_gateway_rest_api.example.id
34 | resource_id = aws_api_gateway_rest_api.example.root_resource_id
35 | http_method = "ANY"
36 | authorization = "NONE"
37 | }
Check: CKV_AWS_217: "Ensure Create before destroy for API deployments"
FAILED for resource: aws_api_gateway_deployment.example
File: /samples/lambda-role-policy-apigateway-python/api-gateway.tf:49-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-deployments-enable-create-before-destroy.html
49 | resource "aws_api_gateway_deployment" "example" {
50 | depends_on = [
51 | aws_api_gateway_integration.lambda,
52 | aws_api_gateway_integration.lambda_root,
53 | ]
54 | rest_api_id = aws_api_gateway_rest_api.example.id
55 | stage_name = "test"
56 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-role-policy-apigateway-python/lambda.tf:69-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
69 | resource "aws_lambda_function" "lambda_function" {
70 | filename = "${path.module}/code/main.zip"
71 | function_name = "Lambda-Function"
72 | role = aws_iam_role.lambda_role.arn
73 | handler = "main.lambda_handler"
74 | runtime = "python3.8"
75 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
76 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-role-policy-apigateway-python/lambda.tf:69-76
69 | resource "aws_lambda_function" "lambda_function" {
70 | filename = "${path.module}/code/main.zip"
71 | function_name = "Lambda-Function"
72 | role = aws_iam_role.lambda_role.arn
73 | handler = "main.lambda_handler"
74 | runtime = "python3.8"
75 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
76 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-role-policy-apigateway-python/lambda.tf:69-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
69 | resource "aws_lambda_function" "lambda_function" {
70 | filename = "${path.module}/code/main.zip"
71 | function_name = "Lambda-Function"
72 | role = aws_iam_role.lambda_role.arn
73 | handler = "main.lambda_handler"
74 | runtime = "python3.8"
75 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
76 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-role-policy-apigateway-python/lambda.tf:69-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
69 | resource "aws_lambda_function" "lambda_function" {
70 | filename = "${path.module}/code/main.zip"
71 | function_name = "Lambda-Function"
72 | role = aws_iam_role.lambda_role.arn
73 | handler = "main.lambda_handler"
74 | runtime = "python3.8"
75 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
76 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_function
File: /samples/lambda-role-policy-apigateway-python/lambda.tf:69-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
69 | resource "aws_lambda_function" "lambda_function" {
70 | filename = "${path.module}/code/main.zip"
71 | function_name = "Lambda-Function"
72 | role = aws_iam_role.lambda_role.arn
73 | handler = "main.lambda_handler"
74 | runtime = "python3.8"
75 | depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role]
76 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.tf_mlops_policy
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/iam_roles.tf:35-307
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.tf_mlops_policy
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/iam_roles.tf:35-307
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.tf_mlops_policy
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/iam_roles.tf:35-307
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: aws_codepipeline.sm_ci_pipeline
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/modelbuild_ci_pipeline.tf:2-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: aws_codebuild_project.tf_mlops_modelbuild
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/modelbuild_codebuild.tf:14-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GIT_2: "Ensure GitHub repository webhooks are using HTTPS"
FAILED for resource: github_repository_webhook.build_github_hook
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/modelbuild_hooks.tf:18-28
Guide: https://docs.bridgecrew.io/docs/ensure-github-organization-and-repository-webhooks-are-using-https
18 | resource "github_repository_webhook" "build_github_hook" {
19 | repository = var.build_repository_name
20 | events = ["push"]
21 |
22 | configuration {
23 | url = aws_codepipeline_webhook.buildpipeline_webhook.url
24 | insecure_ssl = "0"
25 | content_type = "json"
26 | secret = random_string.build_github_secret.result
27 | }
28 | }
Check: CKV_AWS_219: "Ensure Code Pipeline Artifact store is using a KMS CMK"
FAILED for resource: aws_codepipeline.sm_cd_pipeline
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/modeldeploy_cd_pipeline.tf:2-140
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: aws_codebuild_project.tf_mlops_deploybuild
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/modeldeploy_codebuild.tf:18-112
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GIT_2: "Ensure GitHub repository webhooks are using HTTPS"
FAILED for resource: github_repository_webhook.deploy_hook
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/modeldeploy_hooks.tf:18-28
Guide: https://docs.bridgecrew.io/docs/ensure-github-organization-and-repository-webhooks-are-using-https
18 | resource "github_repository_webhook" "deploy_hook" {
19 | repository = var.deploy_repository_name
20 | events = ["push"]
21 |
22 | configuration {
23 | url = aws_codepipeline_webhook.deploy_webhook.url
24 | insecure_ssl = "0"
25 | content_type = "json"
26 | secret = random_string.deploy_github_secret.result
27 | }
28 | }
Check: CKV_AWS_147: "Ensure that CodeBuild projects are encrypted using CMK"
FAILED for resource: aws_codebuild_project.tf_mlops_testbuild
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/modeldeploy_testbuild.tf:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-codebuild-projects-are-encrypted-1.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_86: "Ensure Cloudfront distribution has Access Logging enabled"
FAILED for resource: aws_cloudfront_distribution.s3_distribution
File: /samples/s3-cloudfront-static-website/cloudfront.tf:9-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_34: "Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS"
FAILED for resource: aws_cloudfront_distribution.s3_distribution
File: /samples/s3-cloudfront-static-website/cloudfront.tf:9-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-32.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_68: "CloudFront Distribution should have WAF enabled"
FAILED for resource: aws_cloudfront_distribution.s3_distribution
File: /samples/s3-cloudfront-static-website/cloudfront.tf:9-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_174: "Verify CloudFront Distribution Viewer Certificate is using TLS v1.2"
FAILED for resource: aws_cloudfront_distribution.s3_distribution
File: /samples/s3-cloudfront-static-website/cloudfront.tf:9-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.s3_distribution
File: /samples/s3-cloudfront-static-website/cloudfront.tf:9-115
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.html
File: /samples/s3-cloudfront-static-website/s3.tf:50-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
50 | resource "aws_s3_bucket_object" "html" {
51 | for_each = fileset("${path.module}/website/", "*.html")
52 |
53 | bucket = aws_s3_bucket.mybucket.bucket
54 | key = each.value
55 | source = "${path.module}/website/${each.value}"
56 | etag = filemd5("${path.module}/website/${each.value}")
57 | content_type = "text/html"
58 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.svg
File: /samples/s3-cloudfront-static-website/s3.tf:60-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
60 | resource "aws_s3_bucket_object" "svg" {
61 | for_each = fileset("${path.module}/website/", "**/*.svg")
62 |
63 | bucket = aws_s3_bucket.mybucket.bucket
64 | key = each.value
65 | source = "${path.module}/website/${each.value}"
66 | etag = filemd5("${path.module}/website/${each.value}")
67 | content_type = "image/svg+xml"
68 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.css
File: /samples/s3-cloudfront-static-website/s3.tf:70-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
70 | resource "aws_s3_bucket_object" "css" {
71 | for_each = fileset("${path.module}/website/", "**/*.css")
72 |
73 | bucket = aws_s3_bucket.mybucket.bucket
74 | key = each.value
75 | source = "${path.module}/website/${each.value}"
76 | etag = filemd5("${path.module}/website/${each.value}")
77 | content_type = "text/css"
78 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.js
File: /samples/s3-cloudfront-static-website/s3.tf:80-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
80 | resource "aws_s3_bucket_object" "js" {
81 | for_each = fileset("${path.module}/website/", "**/*.js")
82 |
83 | bucket = aws_s3_bucket.mybucket.bucket
84 | key = each.value
85 | source = "${path.module}/website/${each.value}"
86 | etag = filemd5("${path.module}/website/${each.value}")
87 | content_type = "application/javascript"
88 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.images
File: /samples/s3-cloudfront-static-website/s3.tf:91-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
91 | resource "aws_s3_bucket_object" "images" {
92 | for_each = fileset("${path.module}/website/", "**/*.png")
93 |
94 | bucket = aws_s3_bucket.mybucket.bucket
95 | key = each.value
96 | source = "${path.module}/website/${each.value}"
97 | etag = filemd5("${path.module}/website/${each.value}")
98 | content_type = "image/png"
99 | }
Check: CKV_AWS_186: "Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_s3_bucket_object.json
File: /samples/s3-cloudfront-static-website/s3.tf:101-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-106.html
101 | resource "aws_s3_bucket_object" "json" {
102 | for_each = fileset("${path.module}/website/", "**/*.json")
103 |
104 | bucket = aws_s3_bucket.mybucket.bucket
105 | key = each.value
106 | source = "${path.module}/website/${each.value}"
107 | etag = filemd5("${path.module}/website/${each.value}")
108 | content_type = "application/json"
109 | }
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: aws_s3_bucket_public_access_block.mybucket
File: /samples/s3-cloudfront-static-website/s3.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
136 | resource "aws_s3_bucket_public_access_block" "mybucket" {
137 | bucket = aws_s3_bucket.mybucket.id
138 |
139 | block_public_acls = true
140 | block_public_policy = true
141 | //ignore_public_acls = true
142 | //restrict_public_buckets = true
143 | }
Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled"
FAILED for resource: aws_s3_bucket_public_access_block.mybucket
File: /samples/s3-cloudfront-static-website/s3.tf:136-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-21.html
136 | resource "aws_s3_bucket_public_access_block" "mybucket" {
137 | bucket = aws_s3_bucket.mybucket.id
138 |
139 | block_public_acls = true
140 | block_public_policy = true
141 | //ignore_public_acls = true
142 | //restrict_public_buckets = true
143 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.codepipeline.aws_s3_bucket.codepipeline_bucket
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/modules/codepipeline/main.tf:4-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
4 | resource "aws_s3_bucket" "codepipeline_bucket" {
5 | bucket = "${var.s3_bucket_namespace}-codepipeline-bucket"
6 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.artifacts_bucket
File: /samples/mlops-sagemaker-github-codepipeline-codebuild-codedeploy/terraform/s3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "artifacts_bucket" {
2 | bucket = var.artifacts_bucket_name
3 | force_destroy = true
4 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.mybucket
File: /samples/s3-cloudfront-static-website/s3.tf:15-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
15 | resource "aws_s3_bucket" "mybucket" {
16 | bucket = "s3-mybucket-website2023"
17 | acl = "private"
18 | # Add specefic S3 policy in the s3-policy.json on the same directory
19 | # policy = file("s3-policy.json")
20 |
21 | versioning {
22 | enabled = false
23 | }
24 |
25 | website {
26 | index_document = "index.html"
27 | error_document = "error.html"
28 |
29 | # Add routing rules if required
30 | # routing_rules = <!! MODULE-1 !!: Deployed via Terraform from $(hostname -f)" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.webserver-2.aws_instance.ec2
File: /labs/modules/module2/main.tf:95-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
95 | resource "aws_instance" "ec2" {
96 | ami = var.ami
97 | instance_type = var.instance_type
98 | subnet_id = aws_subnet.public.id
99 | associate_public_ip_address = true
100 | vpc_security_group_ids = [aws_security_group.ssg.id]
101 | user_data = <<-EOF
102 | #! /bin/bash
103 | sudo apt-get update
104 | sudo apt-get install -y apache2
105 | sudo systemctl start apache2
106 | sudo systemctl enable apache2
107 | echo "** MODULE-2 **: Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
108 | EOF
109 | tags = {
110 | Name = var.tag
111 | }
112 |
113 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ubuntu2204
File: /labs/provisioners-nullresources/main.tf:76-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
76 | resource "aws_instance" "ubuntu2204" {
77 |
78 | ami = "ami-0d1ddd83282187d18" # Ubuntu 22.04 eu-central-1 Frankfurt
79 | instance_type = "t2.nano"
80 | key_name = "testkey"
81 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
82 | subnet_id = aws_subnet.public.id
83 | associate_public_ip_address = true
84 |
85 | tags = {
86 | Name = "Ubuntu 22.04"
87 | }
88 |
89 | provisioner "file" {
90 | source = "test-file.txt"
91 | destination = "/home/ubuntu/test-file.txt"
92 | }
93 |
94 | provisioner "file" {
95 | content = "I want to copy this string to the destination file => server.txt (using provisioner file content)"
96 | destination = "/home/ubuntu/server.txt"
97 | }
98 |
99 | provisioner "remote-exec" {
100 | inline = [
101 | "touch hello.txt",
102 | "echo helloworld remote-exec provisioner >> hello.txt",
103 | ]
104 | }
105 |
106 | connection {
107 | type = "ssh"
108 | host = self.public_ip
109 | user = "ubuntu"
110 | private_key = file("testkey.pem")
111 | timeout = "4m"
112 | }
113 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ec2_example
File: /labs/variables-locals-output/main.tf:59-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
59 | resource "aws_instance" "ec2_example" {
60 |
61 | ami = var.ami
62 | instance_type = var.instance_type
63 | subnet_id = aws_subnet.my_subnet.id
64 | associate_public_ip_address = true
65 |
66 | tags = {
67 | Name = var.tag
68 | }
69 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.instance
File: /labs/workspace/main.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
20 | resource "aws_instance" "instance" {
21 | ami = var.ami
22 | instance_type = var.instance_type
23 |
24 | tags = {
25 | Name = local.tag
26 | }
27 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/ec2-ebs-efs/main.tf:104-114
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
104 | resource "aws_instance" "ubuntu2004" {
105 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
106 | instance_type = "t2.nano"
107 | key_name = "testkey"
108 | vpc_security_group_ids = [aws_security_group.sg_config.id]
109 | subnet_id = aws_subnet.public.id
110 | associate_public_ip_address = true
111 | tags = {
112 | Name = "Ubuntu 20.04"
113 | }
114 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.win2019
File: /samples/ec2-ebs-efs/main.tf:116-126
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
116 | resource "aws_instance" "win2019" {
117 | ami = "ami-02c2da541ae36c6fc" # Windows 2019 Server eu-central-1 Frankfurt
118 | instance_type = "t2.micro"
119 | key_name = "testkey"
120 | vpc_security_group_ids = [aws_security_group.sg_config.id]
121 | subnet_id = aws_subnet.public.id
122 | associate_public_ip_address = true
123 | tags = {
124 | Name = "Win 2019 Server"
125 | }
126 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:97-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
97 | resource "aws_instance" "ubuntu2004" {
98 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
99 | instance_type = "t2.nano"
100 | key_name = "testkey"
101 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
102 | subnet_id = aws_subnet.public.id
103 | associate_public_ip_address = true
104 | user_data = <<-EOF
105 | #! /bin/bash
106 | sudo apt-get update
107 | sudo apt-get install -y apache2
108 | sudo systemctl start apache2
109 | sudo systemctl enable apache2
110 | echo "Deployed via Terraform from $(hostname -f)
" | sudo tee /var/www/html/index.html
111 | EOF
112 | tags = {
113 | Name = "Ubuntu 20.04"
114 | }
115 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.win2019
File: /samples/ec2-vpc-ubuntu-win-ssh-rdp/main.tf:117-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
117 | resource "aws_instance" "win2019" {
118 | ami = "ami-02c2da541ae36c6fc" # Windows 2019 Server eu-central-1 Frankfurt
119 | instance_type = "t2.micro"
120 | key_name = "testkey"
121 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
122 | subnet_id = aws_subnet.public.id
123 | associate_public_ip_address = true
124 | tags = {
125 | Name = "Win 2019 Server"
126 | }
127 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ubuntu2004
File: /samples/gitlabserver-on-premise-runner-on-EC2/main.tf:111-138
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
111 | resource "aws_instance" "ubuntu2004" {
112 | ami = "ami-0e067cc8a2b58de59" # Ubuntu 20.04 eu-central-1 Frankfurt
113 | instance_type = "t2.micro"
114 | key_name = "testkey"
115 | vpc_security_group_ids = [aws_security_group.allow_ssh.id]
116 | subnet_id = aws_subnet.public.id
117 | associate_public_ip_address = true
118 | user_data = <<-EOF
119 | #! /bin/bash
120 | sudo apt-get update
121 | sudo apt-get install ca-certificates curl gnupg -y
122 | sudo install -m 0755 -d /etc/apt/keyrings
123 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
124 | sudo chmod a+r /etc/apt/keyrings/docker.gpg
125 | echo \
126 | "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
127 | "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
128 | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
129 | sudo apt-get update
130 | sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
131 | sudo docker run hello-world
132 | curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
133 | sudo apt-get install gitlab-runner
134 | EOF
135 | tags = {
136 | Name = "Ubuntu 20.04"
137 | }
138 | }
Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/count/main.tf:53-59
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
FAILED for resource: aws_iam_policy_document.admin_policy
File: /labs/iamuser-metaargs-count-for-foreach-map/for_each/main.tf:53-59
53 | data "aws_iam_policy_document" "admin_policy" {
54 | statement {
55 | effect = "Allow"
56 | actions = ["*"]
57 | resources = ["*"]
58 | }
59 | }
dockerfile scan results:
Passed checks: 176, Failed checks: 8, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/lambda/Dockerfile.
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/lambda/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/python:3.8
2 | COPY requirements.txt ${LAMBDA_TASK_ROOT}
3 | RUN pip3 install --no-cache-dir -r requirements.txt
4 | COPY aws-lambda-url.py ${LAMBDA_TASK_ROOT}
5 |
6 | CMD ["aws-lambda-url.lambda_handler"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/lambda/Dockerfile.
File: /samples/codecommit-codepipeline-codebuild-codedeploy-lambda-container/lambda_bootstrap/lambda/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/python:3.8
2 | COPY requirements.txt ${LAMBDA_TASK_ROOT}
3 | RUN pip3 install --no-cache-dir -r requirements.txt
4 | COPY aws-lambda-url.py ${LAMBDA_TASK_ROOT}
5 |
6 | CMD ["aws-lambda-url.lambda_handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /samples/lambda-container-apigateway-flaskapp/flask-app-serverless/Dockerfile.
File: /samples/lambda-container-apigateway-flaskapp/flask-app-serverless/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/python:3.7
2 |
3 | WORKDIR ${LAMBDA_TASK_ROOT}
4 |
5 | COPY app ${LAMBDA_TASK_ROOT}
6 |
7 | COPY requirements.txt requirements.txt
8 |
9 | RUN pip3 install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
10 |
11 | ENV FLASK_APP=app
12 |
13 | ENV FLASK_ENV=development
14 |
15 | EXPOSE 5000
16 |
17 | RUN python init_db.py
18 |
19 | CMD ["app.handler"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /samples/lambda-container-apigateway-flaskapp/flask-app-serverless/Dockerfile.
File: /samples/lambda-container-apigateway-flaskapp/flask-app-serverless/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/python:3.7
2 |
3 | WORKDIR ${LAMBDA_TASK_ROOT}
4 |
5 | COPY app ${LAMBDA_TASK_ROOT}
6 |
7 | COPY requirements.txt requirements.txt
8 |
9 | RUN pip3 install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
10 |
11 | ENV FLASK_APP=app
12 |
13 | ENV FLASK_ENV=development
14 |
15 | EXPOSE 5000
16 |
17 | RUN python init_db.py
18 |
19 | CMD ["app.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /samples/gitlabserver-on-premise-runner-on-EC2/test-gitlab-runner/docker-windows/Dockerfile.
File: /samples/gitlabserver-on-premise-runner-on-EC2/test-gitlab-runner/docker-windows/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # escape=`
2 |
3 | FROM mcr.microsoft.com/windows/servercore:1809
4 |
5 | # Restore the default Windows shell for correct batch processing.
6 | SHELL ["cmd", "/S", "/C"]
7 |
8 | # install choco (win package manager like apt-get)
9 | RUN @"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
10 |
11 | # install python3.7
12 | RUN choco install -y python --version=3.7.2 `
13 | && set PATH=%PATH%;C:\Python37\
14 |
15 | RUN choco install pwsh --version=7.3.3 -y
16 |
17 | CMD ["powershell.exe", "-NoLogo", "-ExecutionPolicy", "Bypass"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /samples/gitlabserver-on-premise-runner-on-EC2/test-gitlab-runner/docker-windows/Dockerfile.
File: /samples/gitlabserver-on-premise-runner-on-EC2/test-gitlab-runner/docker-windows/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # escape=`
2 |
3 | FROM mcr.microsoft.com/windows/servercore:1809
4 |
5 | # Restore the default Windows shell for correct batch processing.
6 | SHELL ["cmd", "/S", "/C"]
7 |
8 | # install choco (win package manager like apt-get)
9 | RUN @"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
10 |
11 | # install python3.7
12 | RUN choco install -y python --version=3.7.2 `
13 | && set PATH=%PATH%;C:\Python37\
14 |
15 | RUN choco install pwsh --version=7.3.3 -y
16 |
17 | CMD ["powershell.exe", "-NoLogo", "-ExecutionPolicy", "Bypass"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /samples/ecr-ecs-elb-vpc-ecsservice-container/flask-app/Dockerfile.
File: /samples/ecr-ecs-elb-vpc-ecsservice-container/flask-app/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.8-slim-buster
2 |
3 | WORKDIR /app
4 |
5 | COPY requirements.txt requirements.txt
6 |
7 | RUN pip3 install -r requirements.txt
8 |
9 | COPY app .
10 |
11 | ENV FLASK_APP=app
12 |
13 | ENV FLASK_ENV=development
14 |
15 | EXPOSE 5000
16 |
17 | RUN python init_db.py
18 |
19 | CMD [ "python3", "-m" , "flask", "run", "--host=0.0.0.0","--port","5000"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /samples/ecr-ecs-elb-vpc-ecsservice-container/flask-app/Dockerfile.
File: /samples/ecr-ecs-elb-vpc-ecsservice-container/flask-app/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.8-slim-buster
2 |
3 | WORKDIR /app
4 |
5 | COPY requirements.txt requirements.txt
6 |
7 | RUN pip3 install -r requirements.txt
8 |
9 | COPY app .
10 |
11 | ENV FLASK_APP=app
12 |
13 | ENV FLASK_ENV=development
14 |
15 | EXPOSE 5000
16 |
17 | RUN python init_db.py
18 |
19 | CMD [ "python3", "-m" , "flask", "run", "--host=0.0.0.0","--port","5000"]
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools