Repository | sidpalas / devops-directive-terraform-course |
Description | Companion repo for complete Terraform course |
Stars | 751 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:44:38,933 [MainThread ] [WARNI] Failed to download module [email protected]:hashicorp/terraform-aws-consul.git:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 198, Failed checks: 247, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /02-overview/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
14 | resource "aws_instance" "example" {
15 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
16 | instance_type = "t2.micro"
17 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /02-overview/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
14 | resource "aws_instance" "example" {
15 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
16 | instance_type = "t2.micro"
17 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /02-overview/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
14 | resource "aws_instance" "example" {
15 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
16 | instance_type = "t2.micro"
17 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /02-overview/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
14 | resource "aws_instance" "example" {
15 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
16 | instance_type = "t2.micro"
17 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /03-basics/aws-backend/main.tf:48-56
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
48 | resource "aws_dynamodb_table" "terraform_locks" {
49 | name = "terraform-state-locking"
50 | billing_mode = "PAY_PER_REQUEST"
51 | hash_key = "LockID"
52 | attribute {
53 | name = "LockID"
54 | type = "S"
55 | }
56 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_locks
File: /03-basics/aws-backend/main.tf:48-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
48 | resource "aws_dynamodb_table" "terraform_locks" {
49 | name = "terraform-state-locking"
50 | billing_mode = "PAY_PER_REQUEST"
51 | hash_key = "LockID"
52 | attribute {
53 | name = "LockID"
54 | type = "S"
55 | }
56 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance_1
File: /03-basics/web-app/main.tf:24-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
24 | resource "aws_instance" "instance_1" {
25 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
26 | instance_type = "t2.micro"
27 | security_groups = [aws_security_group.instances.name]
28 | user_data = <<-EOF
29 | #!/bin/bash
30 | echo "Hello, World 1" > index.html
31 | python3 -m http.server 8080 &
32 | EOF
33 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance_1
File: /03-basics/web-app/main.tf:24-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
24 | resource "aws_instance" "instance_1" {
25 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
26 | instance_type = "t2.micro"
27 | security_groups = [aws_security_group.instances.name]
28 | user_data = <<-EOF
29 | #!/bin/bash
30 | echo "Hello, World 1" > index.html
31 | python3 -m http.server 8080 &
32 | EOF
33 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance_1
File: /03-basics/web-app/main.tf:24-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
24 | resource "aws_instance" "instance_1" {
25 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
26 | instance_type = "t2.micro"
27 | security_groups = [aws_security_group.instances.name]
28 | user_data = <<-EOF
29 | #!/bin/bash
30 | echo "Hello, World 1" > index.html
31 | python3 -m http.server 8080 &
32 | EOF
33 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance_1
File: /03-basics/web-app/main.tf:24-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
24 | resource "aws_instance" "instance_1" {
25 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
26 | instance_type = "t2.micro"
27 | security_groups = [aws_security_group.instances.name]
28 | user_data = <<-EOF
29 | #!/bin/bash
30 | echo "Hello, World 1" > index.html
31 | python3 -m http.server 8080 &
32 | EOF
33 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance_2
File: /03-basics/web-app/main.tf:35-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
35 | resource "aws_instance" "instance_2" {
36 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
37 | instance_type = "t2.micro"
38 | security_groups = [aws_security_group.instances.name]
39 | user_data = <<-EOF
40 | #!/bin/bash
41 | echo "Hello, World 2" > index.html
42 | python3 -m http.server 8080 &
43 | EOF
44 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance_2
File: /03-basics/web-app/main.tf:35-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
35 | resource "aws_instance" "instance_2" {
36 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
37 | instance_type = "t2.micro"
38 | security_groups = [aws_security_group.instances.name]
39 | user_data = <<-EOF
40 | #!/bin/bash
41 | echo "Hello, World 2" > index.html
42 | python3 -m http.server 8080 &
43 | EOF
44 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance_2
File: /03-basics/web-app/main.tf:35-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
35 | resource "aws_instance" "instance_2" {
36 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
37 | instance_type = "t2.micro"
38 | security_groups = [aws_security_group.instances.name]
39 | user_data = <<-EOF
40 | #!/bin/bash
41 | echo "Hello, World 2" > index.html
42 | python3 -m http.server 8080 &
43 | EOF
44 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance_2
File: /03-basics/web-app/main.tf:35-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
35 | resource "aws_instance" "instance_2" {
36 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
37 | instance_type = "t2.micro"
38 | security_groups = [aws_security_group.instances.name]
39 | user_data = <<-EOF
40 | #!/bin/bash
41 | echo "Hello, World 2" > index.html
42 | python3 -m http.server 8080 &
43 | EOF
44 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instances
File: /03-basics/web-app/main.tf:75-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
75 | resource "aws_security_group" "instances" {
76 | name = "instance-security-group"
77 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_http_inbound
File: /03-basics/web-app/main.tf:79-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
79 | resource "aws_security_group_rule" "allow_http_inbound" {
80 | type = "ingress"
81 | security_group_id = aws_security_group.instances.id
82 |
83 | from_port = 8080
84 | to_port = 8080
85 | protocol = "tcp"
86 | cidr_blocks = ["0.0.0.0/0"]
87 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http
File: /03-basics/web-app/main.tf:89-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
89 | resource "aws_lb_listener" "http" {
90 | load_balancer_arn = aws_lb.load_balancer.arn
91 |
92 | port = 80
93 |
94 | protocol = "HTTP"
95 |
96 | # By default, return a simple 404 page
97 | default_action {
98 | type = "fixed-response"
99 |
100 | fixed_response {
101 | content_type = "text/plain"
102 | message_body = "404: page not found"
103 | status_code = 404
104 | }
105 | }
106 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /03-basics/web-app/main.tf:154-156
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
154 | resource "aws_security_group" "alb" {
155 | name = "alb-security-group"
156 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_alb_http_inbound
File: /03-basics/web-app/main.tf:158-167
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
158 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
159 | type = "ingress"
160 | security_group_id = aws_security_group.alb.id
161 |
162 | from_port = 80
163 | to_port = 80
164 | protocol = "tcp"
165 | cidr_blocks = ["0.0.0.0/0"]
166 |
167 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.allow_alb_http_inbound
File: /03-basics/web-app/main.tf:158-167
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
158 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
159 | type = "ingress"
160 | security_group_id = aws_security_group.alb.id
161 |
162 | from_port = 80
163 | to_port = 80
164 | protocol = "tcp"
165 | cidr_blocks = ["0.0.0.0/0"]
166 |
167 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_alb_all_outbound
File: /03-basics/web-app/main.tf:169-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
169 | resource "aws_security_group_rule" "allow_alb_all_outbound" {
170 | type = "egress"
171 | security_group_id = aws_security_group.alb.id
172 |
173 | from_port = 0
174 | to_port = 0
175 | protocol = "-1"
176 | cidr_blocks = ["0.0.0.0/0"]
177 |
178 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.load_balancer
File: /03-basics/web-app/main.tf:181-187
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
181 | resource "aws_lb" "load_balancer" {
182 | name = "web-app-lb"
183 | load_balancer_type = "application"
184 | subnets = data.aws_subnet_ids.default_subnet.ids
185 | security_groups = [aws_security_group.alb.id]
186 |
187 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.load_balancer
File: /03-basics/web-app/main.tf:181-187
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
181 | resource "aws_lb" "load_balancer" {
182 | name = "web-app-lb"
183 | load_balancer_type = "application"
184 | subnets = data.aws_subnet_ids.default_subnet.ids
185 | security_groups = [aws_security_group.alb.id]
186 |
187 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.load_balancer
File: /03-basics/web-app/main.tf:181-187
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
181 | resource "aws_lb" "load_balancer" {
182 | name = "web-app-lb"
183 | load_balancer_type = "application"
184 | subnets = data.aws_subnet_ids.default_subnet.ids
185 | security_groups = [aws_security_group.alb.id]
186 |
187 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance
File: /04-variables-and-outputs/examples/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
26 | resource "aws_instance" "instance" {
27 | ami = var.ami
28 | instance_type = var.instance_type
29 |
30 | tags = {
31 | Name = var.instance_name
32 | ExtraTag = local.extra_tag
33 | }
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance
File: /04-variables-and-outputs/examples/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
26 | resource "aws_instance" "instance" {
27 | ami = var.ami
28 | instance_type = var.instance_type
29 |
30 | tags = {
31 | Name = var.instance_name
32 | ExtraTag = local.extra_tag
33 | }
34 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance
File: /04-variables-and-outputs/examples/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
26 | resource "aws_instance" "instance" {
27 | ami = var.ami
28 | instance_type = var.instance_type
29 |
30 | tags = {
31 | Name = var.instance_name
32 | ExtraTag = local.extra_tag
33 | }
34 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance
File: /04-variables-and-outputs/examples/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
26 | resource "aws_instance" "instance" {
27 | ami = var.ami
28 | instance_type = var.instance_type
29 |
30 | tags = {
31 | Name = var.instance_name
32 | ExtraTag = local.extra_tag
33 | }
34 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance_1
File: /04-variables-and-outputs/web-app/main.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
25 | resource "aws_instance" "instance_1" {
26 | ami = var.ami
27 | instance_type = var.instance_type
28 | security_groups = [aws_security_group.instances.name]
29 | user_data = <<-EOF
30 | #!/bin/bash
31 | echo "Hello, World 1" > index.html
32 | python3 -m http.server 8080 &
33 | EOF
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance_1
File: /04-variables-and-outputs/web-app/main.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
25 | resource "aws_instance" "instance_1" {
26 | ami = var.ami
27 | instance_type = var.instance_type
28 | security_groups = [aws_security_group.instances.name]
29 | user_data = <<-EOF
30 | #!/bin/bash
31 | echo "Hello, World 1" > index.html
32 | python3 -m http.server 8080 &
33 | EOF
34 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance_1
File: /04-variables-and-outputs/web-app/main.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
25 | resource "aws_instance" "instance_1" {
26 | ami = var.ami
27 | instance_type = var.instance_type
28 | security_groups = [aws_security_group.instances.name]
29 | user_data = <<-EOF
30 | #!/bin/bash
31 | echo "Hello, World 1" > index.html
32 | python3 -m http.server 8080 &
33 | EOF
34 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance_1
File: /04-variables-and-outputs/web-app/main.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
25 | resource "aws_instance" "instance_1" {
26 | ami = var.ami
27 | instance_type = var.instance_type
28 | security_groups = [aws_security_group.instances.name]
29 | user_data = <<-EOF
30 | #!/bin/bash
31 | echo "Hello, World 1" > index.html
32 | python3 -m http.server 8080 &
33 | EOF
34 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.instance_2
File: /04-variables-and-outputs/web-app/main.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
36 | resource "aws_instance" "instance_2" {
37 | ami = var.ami
38 | instance_type = var.instance_type
39 | security_groups = [aws_security_group.instances.name]
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World 2" > index.html
43 | python3 -m http.server 8080 &
44 | EOF
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.instance_2
File: /04-variables-and-outputs/web-app/main.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
36 | resource "aws_instance" "instance_2" {
37 | ami = var.ami
38 | instance_type = var.instance_type
39 | security_groups = [aws_security_group.instances.name]
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World 2" > index.html
43 | python3 -m http.server 8080 &
44 | EOF
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.instance_2
File: /04-variables-and-outputs/web-app/main.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
36 | resource "aws_instance" "instance_2" {
37 | ami = var.ami
38 | instance_type = var.instance_type
39 | security_groups = [aws_security_group.instances.name]
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World 2" > index.html
43 | python3 -m http.server 8080 &
44 | EOF
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.instance_2
File: /04-variables-and-outputs/web-app/main.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
36 | resource "aws_instance" "instance_2" {
37 | ami = var.ami
38 | instance_type = var.instance_type
39 | security_groups = [aws_security_group.instances.name]
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World 2" > index.html
43 | python3 -m http.server 8080 &
44 | EOF
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instances
File: /04-variables-and-outputs/web-app/main.tf:76-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
76 | resource "aws_security_group" "instances" {
77 | name = "instance-security-group"
78 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_http_inbound
File: /04-variables-and-outputs/web-app/main.tf:80-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
80 | resource "aws_security_group_rule" "allow_http_inbound" {
81 | type = "ingress"
82 | security_group_id = aws_security_group.instances.id
83 |
84 | from_port = 8080
85 | to_port = 8080
86 | protocol = "tcp"
87 | cidr_blocks = ["0.0.0.0/0"]
88 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http
File: /04-variables-and-outputs/web-app/main.tf:90-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
90 | resource "aws_lb_listener" "http" {
91 | load_balancer_arn = aws_lb.load_balancer.arn
92 |
93 | port = 80
94 |
95 | protocol = "HTTP"
96 |
97 | # By default, return a simple 404 page
98 | default_action {
99 | type = "fixed-response"
100 |
101 | fixed_response {
102 | content_type = "text/plain"
103 | message_body = "404: page not found"
104 | status_code = 404
105 | }
106 | }
107 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /04-variables-and-outputs/web-app/main.tf:155-157
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
155 | resource "aws_security_group" "alb" {
156 | name = "alb-security-group"
157 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_alb_http_inbound
File: /04-variables-and-outputs/web-app/main.tf:159-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
159 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
160 | type = "ingress"
161 | security_group_id = aws_security_group.alb.id
162 |
163 | from_port = 80
164 | to_port = 80
165 | protocol = "tcp"
166 | cidr_blocks = ["0.0.0.0/0"]
167 |
168 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.allow_alb_http_inbound
File: /04-variables-and-outputs/web-app/main.tf:159-168
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
159 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
160 | type = "ingress"
161 | security_group_id = aws_security_group.alb.id
162 |
163 | from_port = 80
164 | to_port = 80
165 | protocol = "tcp"
166 | cidr_blocks = ["0.0.0.0/0"]
167 |
168 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_alb_all_outbound
File: /04-variables-and-outputs/web-app/main.tf:170-179
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
170 | resource "aws_security_group_rule" "allow_alb_all_outbound" {
171 | type = "egress"
172 | security_group_id = aws_security_group.alb.id
173 |
174 | from_port = 0
175 | to_port = 0
176 | protocol = "-1"
177 | cidr_blocks = ["0.0.0.0/0"]
178 |
179 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.load_balancer
File: /04-variables-and-outputs/web-app/main.tf:182-188
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
182 | resource "aws_lb" "load_balancer" {
183 | name = "web-app-lb"
184 | load_balancer_type = "application"
185 | subnets = data.aws_subnet_ids.default_subnet.ids
186 | security_groups = [aws_security_group.alb.id]
187 |
188 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.load_balancer
File: /04-variables-and-outputs/web-app/main.tf:182-188
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
182 | resource "aws_lb" "load_balancer" {
183 | name = "web-app-lb"
184 | load_balancer_type = "application"
185 | subnets = data.aws_subnet_ids.default_subnet.ids
186 | security_groups = [aws_security_group.alb.id]
187 |
188 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.load_balancer
File: /04-variables-and-outputs/web-app/main.tf:182-188
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
182 | resource "aws_lb" "load_balancer" {
183 | name = "web-app-lb"
184 | load_balancer_type = "application"
185 | subnets = data.aws_subnet_ids.default_subnet.ids
186 | security_groups = [aws_security_group.alb.id]
187 |
188 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.web_app_1.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.web_app_1.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.web_app_1.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.web_app_1.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.web_app_1.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.web_app_1.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.web_app_1.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.web_app_1.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.web_app_2.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.web_app_2.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.web_app_2.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.web_app_2.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.web_app_2.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.web_app_2.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.web_app_2.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.web_app_2.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.web_app.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.web_app.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.web_app.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.web_app.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.web_app.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.web_app.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.web_app.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.web_app.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_1.aws_security_group.instances
File: /06-organization-and-modules/web-app-module/networking.tf:9-11
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
9 | resource "aws_security_group" "instances" {
10 | name = "${var.app_name}-${var.environment_name}-instance-security-group"
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_1.aws_security_group_rule.allow_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:13-21
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
13 | resource "aws_security_group_rule" "allow_http_inbound" {
14 | type = "ingress"
15 | security_group_id = aws_security_group.instances.id
16 |
17 | from_port = 8080
18 | to_port = 8080
19 | protocol = "tcp"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.web_app_1.aws_lb_listener.http
File: /06-organization-and-modules/web-app-module/networking.tf:23-40
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
23 | resource "aws_lb_listener" "http" {
24 | load_balancer_arn = aws_lb.load_balancer.arn
25 |
26 | port = 80
27 |
28 | protocol = "HTTP"
29 |
30 | # By default, return a simple 404 page
31 | default_action {
32 | type = "fixed-response"
33 |
34 | fixed_response {
35 | content_type = "text/plain"
36 | message_body = "404: page not found"
37 | status_code = 404
38 | }
39 | }
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_1.aws_security_group.alb
File: /06-organization-and-modules/web-app-module/networking.tf:88-90
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
88 | resource "aws_security_group" "alb" {
89 | name = "${var.app_name}-${var.environment_name}-alb-security-group"
90 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_1.aws_security_group_rule.allow_alb_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:92-101
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
92 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
93 | type = "ingress"
94 | security_group_id = aws_security_group.alb.id
95 |
96 | from_port = 80
97 | to_port = 80
98 | protocol = "tcp"
99 | cidr_blocks = ["0.0.0.0/0"]
100 |
101 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.web_app_1.aws_security_group_rule.allow_alb_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:92-101
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
92 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
93 | type = "ingress"
94 | security_group_id = aws_security_group.alb.id
95 |
96 | from_port = 80
97 | to_port = 80
98 | protocol = "tcp"
99 | cidr_blocks = ["0.0.0.0/0"]
100 |
101 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_1.aws_security_group_rule.allow_alb_all_outbound
File: /06-organization-and-modules/web-app-module/networking.tf:103-112
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
103 | resource "aws_security_group_rule" "allow_alb_all_outbound" {
104 | type = "egress"
105 | security_group_id = aws_security_group.alb.id
106 |
107 | from_port = 0
108 | to_port = 0
109 | protocol = "-1"
110 | cidr_blocks = ["0.0.0.0/0"]
111 |
112 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.web_app_1.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.web_app_1.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.web_app_1.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /06-organization-and-modules/web-app/main.tf:36-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_2.aws_security_group.instances
File: /06-organization-and-modules/web-app-module/networking.tf:9-11
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
9 | resource "aws_security_group" "instances" {
10 | name = "${var.app_name}-${var.environment_name}-instance-security-group"
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_2.aws_security_group_rule.allow_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:13-21
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
13 | resource "aws_security_group_rule" "allow_http_inbound" {
14 | type = "ingress"
15 | security_group_id = aws_security_group.instances.id
16 |
17 | from_port = 8080
18 | to_port = 8080
19 | protocol = "tcp"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.web_app_2.aws_lb_listener.http
File: /06-organization-and-modules/web-app-module/networking.tf:23-40
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
23 | resource "aws_lb_listener" "http" {
24 | load_balancer_arn = aws_lb.load_balancer.arn
25 |
26 | port = 80
27 |
28 | protocol = "HTTP"
29 |
30 | # By default, return a simple 404 page
31 | default_action {
32 | type = "fixed-response"
33 |
34 | fixed_response {
35 | content_type = "text/plain"
36 | message_body = "404: page not found"
37 | status_code = 404
38 | }
39 | }
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_2.aws_security_group.alb
File: /06-organization-and-modules/web-app-module/networking.tf:88-90
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
88 | resource "aws_security_group" "alb" {
89 | name = "${var.app_name}-${var.environment_name}-alb-security-group"
90 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_2.aws_security_group_rule.allow_alb_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:92-101
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
92 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
93 | type = "ingress"
94 | security_group_id = aws_security_group.alb.id
95 |
96 | from_port = 80
97 | to_port = 80
98 | protocol = "tcp"
99 | cidr_blocks = ["0.0.0.0/0"]
100 |
101 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.web_app_2.aws_security_group_rule.allow_alb_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:92-101
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
92 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
93 | type = "ingress"
94 | security_group_id = aws_security_group.alb.id
95 |
96 | from_port = 80
97 | to_port = 80
98 | protocol = "tcp"
99 | cidr_blocks = ["0.0.0.0/0"]
100 |
101 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app_2.aws_security_group_rule.allow_alb_all_outbound
File: /06-organization-and-modules/web-app-module/networking.tf:103-112
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
103 | resource "aws_security_group_rule" "allow_alb_all_outbound" {
104 | type = "egress"
105 | security_group_id = aws_security_group.alb.id
106 |
107 | from_port = 0
108 | to_port = 0
109 | protocol = "-1"
110 | cidr_blocks = ["0.0.0.0/0"]
111 |
112 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.web_app_2.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.web_app_2.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.web_app_2.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /06-organization-and-modules/web-app/main.tf:51-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app.aws_security_group.instances
File: /06-organization-and-modules/web-app-module/networking.tf:9-11
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
9 | resource "aws_security_group" "instances" {
10 | name = "${var.app_name}-${var.environment_name}-instance-security-group"
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app.aws_security_group_rule.allow_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:13-21
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
13 | resource "aws_security_group_rule" "allow_http_inbound" {
14 | type = "ingress"
15 | security_group_id = aws_security_group.instances.id
16 |
17 | from_port = 8080
18 | to_port = 8080
19 | protocol = "tcp"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: module.web_app.aws_lb_listener.http
File: /06-organization-and-modules/web-app-module/networking.tf:23-40
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
23 | resource "aws_lb_listener" "http" {
24 | load_balancer_arn = aws_lb.load_balancer.arn
25 |
26 | port = 80
27 |
28 | protocol = "HTTP"
29 |
30 | # By default, return a simple 404 page
31 | default_action {
32 | type = "fixed-response"
33 |
34 | fixed_response {
35 | content_type = "text/plain"
36 | message_body = "404: page not found"
37 | status_code = 404
38 | }
39 | }
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app.aws_security_group.alb
File: /06-organization-and-modules/web-app-module/networking.tf:88-90
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
88 | resource "aws_security_group" "alb" {
89 | name = "${var.app_name}-${var.environment_name}-alb-security-group"
90 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app.aws_security_group_rule.allow_alb_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:92-101
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
92 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
93 | type = "ingress"
94 | security_group_id = aws_security_group.alb.id
95 |
96 | from_port = 80
97 | to_port = 80
98 | protocol = "tcp"
99 | cidr_blocks = ["0.0.0.0/0"]
100 |
101 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: module.web_app.aws_security_group_rule.allow_alb_http_inbound
File: /06-organization-and-modules/web-app-module/networking.tf:92-101
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
92 | resource "aws_security_group_rule" "allow_alb_http_inbound" {
93 | type = "ingress"
94 | security_group_id = aws_security_group.alb.id
95 |
96 | from_port = 80
97 | to_port = 80
98 | protocol = "tcp"
99 | cidr_blocks = ["0.0.0.0/0"]
100 |
101 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app.aws_security_group_rule.allow_alb_all_outbound
File: /06-organization-and-modules/web-app-module/networking.tf:103-112
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
103 | resource "aws_security_group_rule" "allow_alb_all_outbound" {
104 | type = "egress"
105 | security_group_id = aws_security_group.alb.id
106 |
107 | from_port = 0
108 | to_port = 0
109 | protocol = "-1"
110 | cidr_blocks = ["0.0.0.0/0"]
111 |
112 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: module.web_app.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: module.web_app.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: module.web_app.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Calling File: /07-managing-multiple-environments/workspaces/main.tf:34-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.web_app.aws_instance.instance
File: /08-testing/modules/hello-world/instance.tf:1-10
Calling File: /08-testing/examples/hello-world/main.tf:25-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "instance" {
2 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
3 | instance_type = "t2.micro"
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.web_app.aws_instance.instance
File: /08-testing/modules/hello-world/instance.tf:1-10
Calling File: /08-testing/examples/hello-world/main.tf:25-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "instance" {
2 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
3 | instance_type = "t2.micro"
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.web_app.aws_instance.instance
File: /08-testing/modules/hello-world/instance.tf:1-10
Calling File: /08-testing/examples/hello-world/main.tf:25-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "instance" {
2 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
3 | instance_type = "t2.micro"
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.web_app.aws_instance.instance
File: /08-testing/modules/hello-world/instance.tf:1-10
Calling File: /08-testing/examples/hello-world/main.tf:25-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "instance" {
2 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
3 | instance_type = "t2.micro"
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app.aws_security_group.instances
File: /08-testing/modules/hello-world/instance.tf:12-14
Calling File: /08-testing/examples/hello-world/main.tf:25-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
12 | resource "aws_security_group" "instances" {
13 | name = "instance-security-group"
14 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: module.web_app.aws_security_group_rule.allow_http_inbound
File: /08-testing/modules/hello-world/instance.tf:16-24
Calling File: /08-testing/examples/hello-world/main.tf:25-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
16 | resource "aws_security_group_rule" "allow_http_inbound" {
17 | type = "ingress"
18 | security_group_id = aws_security_group.instances.id
19 |
20 | from_port = 8080
21 | to_port = 8080
22 | protocol = "tcp"
23 | cidr_blocks = ["0.0.0.0/0"]
24 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /03-basics/aws-backend/main.tf:27-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
27 | resource "aws_s3_bucket" "terraform_state" {
28 | bucket = "devops-directive-tf-state" # REPLACE WITH YOUR BUCKET NAME
29 | force_destroy = true
30 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /03-basics/web-app/main.tf:46-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
46 | resource "aws_s3_bucket" "bucket" {
47 | bucket_prefix = "devops-directive-web-app-data"
48 | force_destroy = true
49 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /04-variables-and-outputs/web-app/main.tf:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
47 | resource "aws_s3_bucket" "bucket" {
48 | bucket_prefix = var.bucket_prefix
49 | force_destroy = true
50 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.web_app_1.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.web_app_2.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.web_app.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /03-basics/aws-backend/main.tf:27-30
27 | resource "aws_s3_bucket" "terraform_state" {
28 | bucket = "devops-directive-tf-state" # REPLACE WITH YOUR BUCKET NAME
29 | force_destroy = true
30 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /03-basics/web-app/main.tf:46-49
46 | resource "aws_s3_bucket" "bucket" {
47 | bucket_prefix = "devops-directive-web-app-data"
48 | force_destroy = true
49 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /04-variables-and-outputs/web-app/main.tf:47-50
47 | resource "aws_s3_bucket" "bucket" {
48 | bucket_prefix = var.bucket_prefix
49 | force_destroy = true
50 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.web_app_1.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.web_app_2.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.web_app.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http
File: /03-basics/web-app/main.tf:89-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
89 | resource "aws_lb_listener" "http" {
90 | load_balancer_arn = aws_lb.load_balancer.arn
91 |
92 | port = 80
93 |
94 | protocol = "HTTP"
95 |
96 | # By default, return a simple 404 page
97 | default_action {
98 | type = "fixed-response"
99 |
100 | fixed_response {
101 | content_type = "text/plain"
102 | message_body = "404: page not found"
103 | status_code = 404
104 | }
105 | }
106 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http
File: /04-variables-and-outputs/web-app/main.tf:90-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
90 | resource "aws_lb_listener" "http" {
91 | load_balancer_arn = aws_lb.load_balancer.arn
92 |
93 | port = 80
94 |
95 | protocol = "HTTP"
96 |
97 | # By default, return a simple 404 page
98 | default_action {
99 | type = "fixed-response"
100 |
101 | fixed_response {
102 | content_type = "text/plain"
103 | message_body = "404: page not found"
104 | status_code = 404
105 | }
106 | }
107 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.web_app_1.aws_lb_listener.http
File: /06-organization-and-modules/web-app-module/networking.tf:23-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
23 | resource "aws_lb_listener" "http" {
24 | load_balancer_arn = aws_lb.load_balancer.arn
25 |
26 | port = 80
27 |
28 | protocol = "HTTP"
29 |
30 | # By default, return a simple 404 page
31 | default_action {
32 | type = "fixed-response"
33 |
34 | fixed_response {
35 | content_type = "text/plain"
36 | message_body = "404: page not found"
37 | status_code = 404
38 | }
39 | }
40 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.web_app_2.aws_lb_listener.http
File: /06-organization-and-modules/web-app-module/networking.tf:23-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
23 | resource "aws_lb_listener" "http" {
24 | load_balancer_arn = aws_lb.load_balancer.arn
25 |
26 | port = 80
27 |
28 | protocol = "HTTP"
29 |
30 | # By default, return a simple 404 page
31 | default_action {
32 | type = "fixed-response"
33 |
34 | fixed_response {
35 | content_type = "text/plain"
36 | message_body = "404: page not found"
37 | status_code = 404
38 | }
39 | }
40 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: module.web_app.aws_lb_listener.http
File: /06-organization-and-modules/web-app-module/networking.tf:23-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
23 | resource "aws_lb_listener" "http" {
24 | load_balancer_arn = aws_lb.load_balancer.arn
25 |
26 | port = 80
27 |
28 | protocol = "HTTP"
29 |
30 | # By default, return a simple 404 page
31 | default_action {
32 | type = "fixed-response"
33 |
34 | fixed_response {
35 | content_type = "text/plain"
36 | message_body = "404: page not found"
37 | status_code = 404
38 | }
39 | }
40 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.load_balancer
File: /03-basics/web-app/main.tf:181-187
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
181 | resource "aws_lb" "load_balancer" {
182 | name = "web-app-lb"
183 | load_balancer_type = "application"
184 | subnets = data.aws_subnet_ids.default_subnet.ids
185 | security_groups = [aws_security_group.alb.id]
186 |
187 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.load_balancer
File: /04-variables-and-outputs/web-app/main.tf:182-188
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
182 | resource "aws_lb" "load_balancer" {
183 | name = "web-app-lb"
184 | load_balancer_type = "application"
185 | subnets = data.aws_subnet_ids.default_subnet.ids
186 | security_groups = [aws_security_group.alb.id]
187 |
188 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.web_app_1.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.web_app_2.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: module.web_app.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.load_balancer
File: /03-basics/web-app/main.tf:181-187
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
181 | resource "aws_lb" "load_balancer" {
182 | name = "web-app-lb"
183 | load_balancer_type = "application"
184 | subnets = data.aws_subnet_ids.default_subnet.ids
185 | security_groups = [aws_security_group.alb.id]
186 |
187 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.load_balancer
File: /04-variables-and-outputs/web-app/main.tf:182-188
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
182 | resource "aws_lb" "load_balancer" {
183 | name = "web-app-lb"
184 | load_balancer_type = "application"
185 | subnets = data.aws_subnet_ids.default_subnet.ids
186 | security_groups = [aws_security_group.alb.id]
187 |
188 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.web_app_1.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.web_app_2.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: module.web_app.aws_lb.load_balancer
File: /06-organization-and-modules/web-app-module/networking.tf:115-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
115 | resource "aws_lb" "load_balancer" {
116 | name = "${var.app_name}-${var.environment_name}-web-app-lb"
117 | load_balancer_type = "application"
118 | subnets = data.aws_subnet_ids.default_subnet.ids
119 | security_groups = [aws_security_group.alb.id]
120 |
121 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.primary
File: /03-basics/web-app/main.tf:189-191
189 | resource "aws_route53_zone" "primary" {
190 | name = "devopsdeployed.com"
191 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.primary
File: /04-variables-and-outputs/web-app/main.tf:190-192
190 | resource "aws_route53_zone" "primary" {
191 | name = var.domain
192 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: module.web_app_1.aws_route53_zone.primary[0]
File: /06-organization-and-modules/web-app-module/dns.tf:1-4
1 | resource "aws_route53_zone" "primary" {
2 | count = var.create_dns_zone ? 1 : 0
3 | name = var.domain
4 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: module.web_app_2.aws_route53_zone.primary[0]
File: /06-organization-and-modules/web-app-module/dns.tf:1-4
1 | resource "aws_route53_zone" "primary" {
2 | count = var.create_dns_zone ? 1 : 0
3 | name = var.domain
4 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: module.web_app.aws_route53_zone.primary
File: /06-organization-and-modules/web-app-module/dns.tf:1-4
1 | resource "aws_route53_zone" "primary" {
2 | count = var.create_dns_zone ? 1 : 0
3 | name = var.domain
4 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.primary
File: /07-managing-multiple-environments/file-structure/global/main.tf:25-27
25 | resource "aws_route53_zone" "primary" {
26 | name = "devopsdeployed.com"
27 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /03-basics/aws-backend/main.tf:27-30
27 | resource "aws_s3_bucket" "terraform_state" {
28 | bucket = "devops-directive-tf-state" # REPLACE WITH YOUR BUCKET NAME
29 | force_destroy = true
30 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.bucket
File: /03-basics/web-app/main.tf:46-49
46 | resource "aws_s3_bucket" "bucket" {
47 | bucket_prefix = "devops-directive-web-app-data"
48 | force_destroy = true
49 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.bucket
File: /04-variables-and-outputs/web-app/main.tf:47-50
47 | resource "aws_s3_bucket" "bucket" {
48 | bucket_prefix = var.bucket_prefix
49 | force_destroy = true
50 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.web_app_1.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.web_app_2.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.web_app.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.db_instance
File: /03-basics/web-app/main.tf:205-220
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
205 | resource "aws_db_instance" "db_instance" {
206 | allocated_storage = 20
207 | # This allows any minor version within the major engine_version
208 | # defined below, but will also result in allowing AWS to auto
209 | # upgrade the minor version of your DB. This may be too risky
210 | # in a real production environment.
211 | auto_minor_version_upgrade = true
212 | storage_type = "standard"
213 | engine = "postgres"
214 | engine_version = "12"
215 | instance_class = "db.t2.micro"
216 | name = "mydb"
217 | username = "foo"
218 | password = "foobarbaz"
219 | skip_final_snapshot = true
220 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/examples/main.tf:36-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
36 | resource "aws_db_instance" "db_instance" {
37 | allocated_storage = 20
38 | storage_type = "gp2"
39 | engine = "postgres"
40 | engine_version = "12"
41 | instance_class = "db.t2.micro"
42 | name = "mydb"
43 | username = var.db_user
44 | password = var.db_pass
45 | skip_final_snapshot = true
46 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.db_instance
File: /04-variables-and-outputs/web-app/main.tf:206-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
206 | resource "aws_db_instance" "db_instance" {
207 | allocated_storage = 20
208 | storage_type = "standard"
209 | engine = "postgres"
210 | engine_version = "12"
211 | instance_class = "db.t2.micro"
212 | name = var.db_name
213 | username = var.db_user
214 | password = var.db_pass
215 | skip_final_snapshot = true
216 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: module.web_app_1.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: module.web_app_2.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: module.web_app.aws_db_instance.db_instance
File: /06-organization-and-modules/web-app-module/database.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
1 | resource "aws_db_instance" "db_instance" {
2 | allocated_storage = 20
3 | storage_type = "standard"
4 | engine = "postgres"
5 | engine_version = "12"
6 | instance_class = "db.t2.micro"
7 | name = var.db_name
8 | username = var.db_user
9 | password = var.db_pass
10 | skip_final_snapshot = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /03-basics/aws-backend/main.tf:27-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
27 | resource "aws_s3_bucket" "terraform_state" {
28 | bucket = "devops-directive-tf-state" # REPLACE WITH YOUR BUCKET NAME
29 | force_destroy = true
30 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /03-basics/web-app/main.tf:46-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
46 | resource "aws_s3_bucket" "bucket" {
47 | bucket_prefix = "devops-directive-web-app-data"
48 | force_destroy = true
49 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.bucket
File: /04-variables-and-outputs/web-app/main.tf:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
47 | resource "aws_s3_bucket" "bucket" {
48 | bucket_prefix = var.bucket_prefix
49 | force_destroy = true
50 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.web_app_1.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.web_app_2.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.web_app.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.terraform_state
File: /03-basics/aws-backend/main.tf:27-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
27 | resource "aws_s3_bucket" "terraform_state" {
28 | bucket = "devops-directive-tf-state" # REPLACE WITH YOUR BUCKET NAME
29 | force_destroy = true
30 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.bucket
File: /03-basics/web-app/main.tf:46-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
46 | resource "aws_s3_bucket" "bucket" {
47 | bucket_prefix = "devops-directive-web-app-data"
48 | force_destroy = true
49 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.bucket
File: /04-variables-and-outputs/web-app/main.tf:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
47 | resource "aws_s3_bucket" "bucket" {
48 | bucket_prefix = var.bucket_prefix
49 | force_destroy = true
50 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.web_app_1.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.web_app_2.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.web_app.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /03-basics/aws-backend/main.tf:27-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
27 | resource "aws_s3_bucket" "terraform_state" {
28 | bucket = "devops-directive-tf-state" # REPLACE WITH YOUR BUCKET NAME
29 | force_destroy = true
30 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.bucket
File: /03-basics/web-app/main.tf:46-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
46 | resource "aws_s3_bucket" "bucket" {
47 | bucket_prefix = "devops-directive-web-app-data"
48 | force_destroy = true
49 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.bucket
File: /04-variables-and-outputs/web-app/main.tf:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
47 | resource "aws_s3_bucket" "bucket" {
48 | bucket_prefix = var.bucket_prefix
49 | force_destroy = true
50 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.web_app_1.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.web_app_2.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.web_app.aws_s3_bucket.bucket
File: /06-organization-and-modules/web-app-module/storage.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "bucket" {
2 | bucket_prefix = var.bucket_prefix
3 | force_destroy = true
4 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /02-overview/main.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
14 | resource "aws_instance" "example" {
15 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
16 | instance_type = "t2.micro"
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.instance_1
File: /03-basics/web-app/main.tf:24-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
24 | resource "aws_instance" "instance_1" {
25 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
26 | instance_type = "t2.micro"
27 | security_groups = [aws_security_group.instances.name]
28 | user_data = <<-EOF
29 | #!/bin/bash
30 | echo "Hello, World 1" > index.html
31 | python3 -m http.server 8080 &
32 | EOF
33 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.instance_2
File: /03-basics/web-app/main.tf:35-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
35 | resource "aws_instance" "instance_2" {
36 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
37 | instance_type = "t2.micro"
38 | security_groups = [aws_security_group.instances.name]
39 | user_data = <<-EOF
40 | #!/bin/bash
41 | echo "Hello, World 2" > index.html
42 | python3 -m http.server 8080 &
43 | EOF
44 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.instance
File: /04-variables-and-outputs/examples/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
26 | resource "aws_instance" "instance" {
27 | ami = var.ami
28 | instance_type = var.instance_type
29 |
30 | tags = {
31 | Name = var.instance_name
32 | ExtraTag = local.extra_tag
33 | }
34 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.instance_1
File: /04-variables-and-outputs/web-app/main.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
25 | resource "aws_instance" "instance_1" {
26 | ami = var.ami
27 | instance_type = var.instance_type
28 | security_groups = [aws_security_group.instances.name]
29 | user_data = <<-EOF
30 | #!/bin/bash
31 | echo "Hello, World 1" > index.html
32 | python3 -m http.server 8080 &
33 | EOF
34 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.instance_2
File: /04-variables-and-outputs/web-app/main.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
36 | resource "aws_instance" "instance_2" {
37 | ami = var.ami
38 | instance_type = var.instance_type
39 | security_groups = [aws_security_group.instances.name]
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World 2" > index.html
43 | python3 -m http.server 8080 &
44 | EOF
45 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.web_app_1.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.web_app_1.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.web_app_2.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.web_app_2.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.web_app.aws_instance.instance_1
File: /06-organization-and-modules/web-app-module/compute.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "instance_1" {
2 | ami = var.ami
3 | instance_type = var.instance_type
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World 1" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.web_app.aws_instance.instance_2
File: /06-organization-and-modules/web-app-module/compute.tf:12-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
12 | resource "aws_instance" "instance_2" {
13 | ami = var.ami
14 | instance_type = var.instance_type
15 | security_groups = [aws_security_group.instances.name]
16 | user_data = <<-EOF
17 | #!/bin/bash
18 | echo "Hello, World 2" > index.html
19 | python3 -m http.server 8080 &
20 | EOF
21 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.web_app.aws_instance.instance
File: /08-testing/modules/hello-world/instance.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "instance" {
2 | ami = "ami-011899242bb902164" # Ubuntu 20.04 LTS // us-east-1
3 | instance_type = "t2.micro"
4 | security_groups = [aws_security_group.instances.name]
5 | user_data = <<-EOF
6 | #!/bin/bash
7 | echo "Hello, World" > index.html
8 | python3 -m http.server 8080 &
9 | EOF
10 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.primary
File: /03-basics/web-app/main.tf:189-191
189 | resource "aws_route53_zone" "primary" {
190 | name = "devopsdeployed.com"
191 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.primary
File: /04-variables-and-outputs/web-app/main.tf:190-192
190 | resource "aws_route53_zone" "primary" {
191 | name = var.domain
192 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.web_app_1.aws_route53_zone.primary[0]
File: /06-organization-and-modules/web-app-module/dns.tf:1-4
1 | resource "aws_route53_zone" "primary" {
2 | count = var.create_dns_zone ? 1 : 0
3 | name = var.domain
4 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.web_app_2.aws_route53_zone.primary[0]
File: /06-organization-and-modules/web-app-module/dns.tf:1-4
1 | resource "aws_route53_zone" "primary" {
2 | count = var.create_dns_zone ? 1 : 0
3 | name = var.domain
4 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: module.web_app.aws_route53_zone.primary
File: /06-organization-and-modules/web-app-module/dns.tf:1-4
1 | resource "aws_route53_zone" "primary" {
2 | count = var.create_dns_zone ? 1 : 0
3 | name = var.domain
4 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.primary
File: /07-managing-multiple-environments/file-structure/global/main.tf:25-27
25 | resource "aws_route53_zone" "primary" {
26 | name = "devopsdeployed.com"
27 | }
github_actions scan results:
Passed checks: 59, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Terraform)
File: /.github/workflows/terraform.yml:0-1