Repository | stacksimplify / terraform-on-aws-ec2 |
Description | Terraform On AWS for EC2, VPC, ASG, ALB, CLB, NLB, CloudWatch, SNS, S3, CodePipeline, ACM, Route53 |
Stars | 454 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:47:56,778 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,778 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:2.17.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,778 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/alb/aws:6.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,778 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:4.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,778 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/rds/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,778 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/acm/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,778 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:2.78.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,779 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:3.18.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,779 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/acm/aws:2.14.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,779 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/alb/aws:5.16.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,780 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:~>2.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,780 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/elb/aws:2.5.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:3.3.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/autoscaling/aws:4.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/cloudwatch/aws//modules/cis-alarms:2.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:2.77.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:~>3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/autoscaling/aws:3.9.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/alb/aws:5.12.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:47:56,781 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/acm/aws:~>2.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 352, Failed checks: 122, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-02-Terraform-Command-Basics/terraform-manifests/ec2-instance.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
18 | resource "aws_instance" "ec2demo" {
19 | ami = "ami-0533f2ba8a1995cf9" # Amazon Linux in us-east-1, update as per your region
20 | instance_type = "t2.micro"
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2demo
File: /02-Terraform-Basics/02-03-Terraform-Language-Syntax/terraform-manifests/top-level-blocks-samples.tf:29-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
29 | resource "aws_instance" "ec2demo" {
30 | ami = "ami-04d29b6f966df1537" # Amazon Linux
31 | instance_type = var.instance_type
32 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /03-Terraform-Settings-Providers-Resources/terraform-manifests/c2-ec2instance.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = "ami-0742b4e673072066f"
4 | instance_type = "t3.micro"
5 | user_data = file("${path.module}/app1-install.sh")
6 | tags = {
7 | "Name" = "EC2 Demo"
8 | }
9 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /04-Terraform-Variables-and-Datasources/terraform-manifests/c5-ec2instance.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | tags = {
9 | "Name" = "EC2 Demo 2"
10 | }
11 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm[0]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-02-MetaArgument-for_each/terraform-manifests/c5-ec2instance.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
11 | resource "aws_instance" "myec2vm" {
12 | ami = data.aws_ami.amzlinux2.id
13 | instance_type = var.instance_type
14 | user_data = file("${path.module}/app1-install.sh")
15 | key_name = var.instance_keypair
16 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
17 | # Create EC2 Instance in all Availabilty Zones of a VPC
18 | for_each = toset(data.aws_availability_zones.my_azones.names)
19 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
20 | tags = {
21 | "Name" = "for_each-Demo-${each.value}"
22 | }
23 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/backup/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({ for az, details in data.aws_ec2_instance_type_offerings.my_ins_type :
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.vpc-ssh
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c3-ec2securitygroups.tf:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "vpc-ssh" {
3 | name = "vpc-ssh"
4 | description = "Dev VPC SSH"
5 | ingress {
6 | description = "Allow Port 22"
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | egress {
14 | description = "Allow all ip and ports outbound"
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 |
21 | tags = {
22 | Name = "vpc-ssh"
23 | }
24 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.vpc-web
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c3-ec2securitygroups.tf:27-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
27 | resource "aws_security_group" "vpc-web" {
28 | name = "vpc-web"
29 | description = "Dev VPC Web"
30 | ingress {
31 | description = "Allow Port 80"
32 | from_port = 80
33 | to_port = 80
34 | protocol = "tcp"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | ingress {
38 | description = "Allow Port 443"
39 | from_port = 443
40 | to_port = 443
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 | egress {
45 | description = "Allow all ip and ports outbound"
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | tags = {
53 | Name = "vpc-web"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.myasg_sns_topic
File: /10-ALB-Path-Based-Routing/terraform-manifests/14-ALB-Autoscaling-with-Launch-Configuration/terraform-manifests/c13-autoscaling-launchconfiguration.tf:102-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
102 | resource "aws_sns_topic" "myasg_sns_topic" {
103 | name = "myasg-sns-topic"
104 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.myasg_sns_topic
File: /14-Autoscaling-with-Launch-Configuration/terraform-manifests/c13-05-autoscaling-notifications.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
6 | resource "aws_sns_topic" "myasg_sns_topic" {
7 | name = "myasg-sns-topic-${random_pet.this.id}"
8 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.my_launch_template
File: /15-Autoscaling-with-Launch-Templates/terraform-manifests/c13-02-autoscaling-launchtemplate-resource.tf:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_launch_template" "my_launch_template" {
3 | name = "my-launch-template"
4 | description = "My Launch template"
5 | image_id = data.aws_ami.amzlinux2.id
6 | instance_type = var.instance_type
7 |
8 | vpc_security_group_ids = [ module.private_sg.security_group_id ]
9 | key_name = var.instance_keypair
10 | user_data = filebase64("${path.module}/app1-install.sh")
11 | ebs_optimized = true
12 | #default_version = 1
13 | update_default_version = true
14 | block_device_mappings {
15 | device_name = "/dev/sda1"
16 | ebs {
17 | #volume_size = 10
18 | volume_size = 20 # LT Update Testing - Version 2 of LT
19 | delete_on_termination = true
20 | volume_type = "gp2" # default is gp2
21 | }
22 | }
23 | monitoring {
24 | enabled = true
25 | }
26 | tag_specifications {
27 | resource_type = "instance"
28 | tags = {
29 | Name = "myasg"
30 | }
31 | }
32 |
33 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.myasg_sns_topic
File: /15-Autoscaling-with-Launch-Templates/terraform-manifests/c13-05-autoscaling-notifications.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
6 | resource "aws_sns_topic" "myasg_sns_topic" {
7 | name = "myasg-sns-topic-${random_pet.this.id}"
8 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.my_launch_template
File: /16-AWS-NLB-Network-Load-Balancer/terraform-manifests/c13-02-autoscaling-launchtemplate-resource.tf:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_launch_template" "my_launch_template" {
3 | name = "my-launch-template"
4 | description = "My Launch Template"
5 | image_id = data.aws_ami.amzlinux2.id
6 | instance_type = var.instance_type
7 |
8 | vpc_security_group_ids = [module.private_sg.security_group_id]
9 | key_name = var.instance_keypair
10 | user_data = filebase64("${path.module}/app1-install.sh")
11 | ebs_optimized = true
12 | #default_version = 1
13 | update_default_version = true
14 | block_device_mappings {
15 | device_name = "/dev/sda1"
16 | ebs {
17 | volume_size = 10
18 | #volume_size = 20 # LT Update Testing - Version 2 of LT
19 | delete_on_termination = true
20 | volume_type = "gp2" # default is gp2
21 | }
22 | }
23 | monitoring {
24 | enabled = true
25 | }
26 |
27 | tag_specifications {
28 | resource_type = "instance"
29 | tags = {
30 | Name = "myasg"
31 | }
32 | }
33 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.myasg_sns_topic
File: /16-AWS-NLB-Network-Load-Balancer/terraform-manifests/c13-05-autoscaling-notifications.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
6 | resource "aws_sns_topic" "myasg_sns_topic" {
7 | name = "myasg-sns-topic-${random_pet.this.id}"
8 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cw_canary_iam_policy
File: /17-AWS-CloudWatch/cw-synthetics-manifests-v2/c14-05-cloudwatch-synthetics.tf:2-39
2 | resource "aws_iam_policy" "cw_canary_iam_policy" {
3 | name = "cw-canary-iam-policy"
4 | path = "/"
5 | description = "CloudWatch Canary Synthetic IAM Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Sid": "VisualEditor0",
14 | "Effect": "Allow",
15 | "Action": "cloudwatch:PutMetricData",
16 | "Resource": "*",
17 | "Condition": {
18 | "StringEquals": {
19 | "cloudwatch:namespace": "CloudWatchSynthetics"
20 | }
21 | }
22 | },
23 | {
24 | "Sid": "VisualEditor1",
25 | "Effect": "Allow",
26 | "Action": [
27 | "s3:PutObject",
28 | "logs:CreateLogStream",
29 | "s3:ListAllMyBuckets",
30 | "logs:CreateLogGroup",
31 | "logs:PutLogEvents",
32 | "s3:GetBucketLocation",
33 | "xray:PutTraceSegments"
34 | ],
35 | "Resource": "*"
36 | }
37 | ]
38 | })
39 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cw_canary_iam_policy
File: /17-AWS-CloudWatch/cw-synthetics-manifests-v2/c14-05-cloudwatch-synthetics.tf:2-39
2 | resource "aws_iam_policy" "cw_canary_iam_policy" {
3 | name = "cw-canary-iam-policy"
4 | path = "/"
5 | description = "CloudWatch Canary Synthetic IAM Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Sid": "VisualEditor0",
14 | "Effect": "Allow",
15 | "Action": "cloudwatch:PutMetricData",
16 | "Resource": "*",
17 | "Condition": {
18 | "StringEquals": {
19 | "cloudwatch:namespace": "CloudWatchSynthetics"
20 | }
21 | }
22 | },
23 | {
24 | "Sid": "VisualEditor1",
25 | "Effect": "Allow",
26 | "Action": [
27 | "s3:PutObject",
28 | "logs:CreateLogStream",
29 | "s3:ListAllMyBuckets",
30 | "logs:CreateLogGroup",
31 | "logs:PutLogEvents",
32 | "s3:GetBucketLocation",
33 | "xray:PutTraceSegments"
34 | ],
35 | "Resource": "*"
36 | }
37 | ]
38 | })
39 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.my_launch_template
File: /17-AWS-CloudWatch/terraform-manifests/c13-02-autoscaling-launchtemplate-resource.tf:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_launch_template" "my_launch_template" {
3 | name = "my-launch-template"
4 | description = "My Launch Template"
5 | image_id = data.aws_ami.amzlinux2.id
6 | instance_type = var.instance_type
7 |
8 | vpc_security_group_ids = [module.private_sg.security_group_id]
9 | key_name = var.instance_keypair
10 | user_data = filebase64("${path.module}/app1-install.sh")
11 | ebs_optimized = true
12 | #default_version = 1
13 | update_default_version = true
14 | block_device_mappings {
15 | device_name = "/dev/sda1"
16 | ebs {
17 | volume_size = 10
18 | #volume_size = 20 # LT Update Testing - Version 2 of LT
19 | delete_on_termination = true
20 | volume_type = "gp2" # default is gp2
21 | }
22 | }
23 | monitoring {
24 | enabled = true
25 | }
26 |
27 | tag_specifications {
28 | resource_type = "instance"
29 | tags = {
30 | Name = "myasg"
31 | }
32 | }
33 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.myasg_sns_topic
File: /17-AWS-CloudWatch/terraform-manifests/c13-05-autoscaling-notifications.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
6 | resource "aws_sns_topic" "myasg_sns_topic" {
7 | name = "myasg-sns-topic-${random_pet.this.id}"
8 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.cis_log_group
File: /17-AWS-CloudWatch/terraform-manifests/c14-04-cloudwatch-cis-alarms.tf:2-4
2 | resource "aws_cloudwatch_log_group" "cis_log_group" {
3 | name = "cis-log-group-${random_pet.this.id}"
4 | }
Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
FAILED for resource: aws_cloudwatch_log_group.cis_log_group
File: /17-AWS-CloudWatch/terraform-manifests/c14-04-cloudwatch-cis-alarms.tf:2-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html
2 | resource "aws_cloudwatch_log_group" "cis_log_group" {
3 | name = "cis-log-group-${random_pet.this.id}"
4 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.cis_log_group
File: /17-AWS-CloudWatch/terraform-manifests/c14-04-cloudwatch-cis-alarms.tf:2-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
2 | resource "aws_cloudwatch_log_group" "cis_log_group" {
3 | name = "cis-log-group-${random_pet.this.id}"
4 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cw_canary_iam_policy
File: /17-AWS-CloudWatch/terraform-manifests/c14-05-cloudwatch-synthetics.tf:2-39
2 | resource "aws_iam_policy" "cw_canary_iam_policy" {
3 | name = "cw-canary-iam-policy"
4 | path = "/"
5 | description = "CloudWatch Canary Synthetic IAM Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Sid": "VisualEditor0",
14 | "Effect": "Allow",
15 | "Action": "cloudwatch:PutMetricData",
16 | "Resource": "*",
17 | "Condition": {
18 | "StringEquals": {
19 | "cloudwatch:namespace": "CloudWatchSynthetics"
20 | }
21 | }
22 | },
23 | {
24 | "Sid": "VisualEditor1",
25 | "Effect": "Allow",
26 | "Action": [
27 | "s3:PutObject",
28 | "logs:CreateLogStream",
29 | "s3:ListAllMyBuckets",
30 | "logs:CreateLogGroup",
31 | "logs:PutLogEvents",
32 | "s3:GetBucketLocation",
33 | "xray:PutTraceSegments"
34 | ],
35 | "Resource": "*"
36 | }
37 | ]
38 | })
39 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cw_canary_iam_policy
File: /17-AWS-CloudWatch/terraform-manifests/c14-05-cloudwatch-synthetics.tf:2-39
2 | resource "aws_iam_policy" "cw_canary_iam_policy" {
3 | name = "cw-canary-iam-policy"
4 | path = "/"
5 | description = "CloudWatch Canary Synthetic IAM Policy"
6 |
7 | # Terraform's "jsonencode" function converts a
8 | # Terraform expression result to valid JSON syntax.
9 | policy = jsonencode({
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Sid": "VisualEditor0",
14 | "Effect": "Allow",
15 | "Action": "cloudwatch:PutMetricData",
16 | "Resource": "*",
17 | "Condition": {
18 | "StringEquals": {
19 | "cloudwatch:namespace": "CloudWatchSynthetics"
20 | }
21 | }
22 | },
23 | {
24 | "Sid": "VisualEditor1",
25 | "Effect": "Allow",
26 | "Action": [
27 | "s3:PutObject",
28 | "logs:CreateLogStream",
29 | "s3:ListAllMyBuckets",
30 | "logs:CreateLogGroup",
31 | "logs:PutLogEvents",
32 | "s3:GetBucketLocation",
33 | "xray:PutTraceSegments"
34 | ],
35 | "Resource": "*"
36 | }
37 | ]
38 | })
39 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc.aws_subnet.public[0]
File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/modules/aws-vpc/main.tf:371-394
Calling File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/c4-02-vpc-module.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
371 | resource "aws_subnet" "public" {
372 | count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0
373 |
374 | vpc_id = local.vpc_id
375 | cidr_block = element(concat(var.public_subnets, [""]), count.index)
376 | availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
377 | availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
378 | map_public_ip_on_launch = var.map_public_ip_on_launch
379 | assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation
380 |
381 | ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
382 |
383 | tags = merge(
384 | {
385 | "Name" = format(
386 | "%s-${var.public_subnet_suffix}-%s",
387 | var.name,
388 | element(var.azs, count.index),
389 | )
390 | },
391 | var.tags,
392 | var.public_subnet_tags,
393 | )
394 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc.aws_subnet.public[1]
File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/modules/aws-vpc/main.tf:371-394
Calling File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/c4-02-vpc-module.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
371 | resource "aws_subnet" "public" {
372 | count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0
373 |
374 | vpc_id = local.vpc_id
375 | cidr_block = element(concat(var.public_subnets, [""]), count.index)
376 | availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
377 | availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
378 | map_public_ip_on_launch = var.map_public_ip_on_launch
379 | assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation
380 |
381 | ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
382 |
383 | tags = merge(
384 | {
385 | "Name" = format(
386 | "%s-${var.public_subnet_suffix}-%s",
387 | var.name,
388 | element(var.azs, count.index),
389 | )
390 | },
391 | var.tags,
392 | var.public_subnet_tags,
393 | )
394 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.vpc.aws_iam_policy_document.vpc_flow_log_cloudwatch
File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/modules/aws-vpc/vpc-flow-logs.tf:83-100
Calling File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/c4-02-vpc-module.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
83 | data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
84 | count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
85 |
86 | statement {
87 | sid = "AWSVPCFlowLogsPushToCloudWatch"
88 |
89 | effect = "Allow"
90 |
91 | actions = [
92 | "logs:CreateLogStream",
93 | "logs:PutLogEvents",
94 | "logs:DescribeLogGroups",
95 | "logs:DescribeLogStreams",
96 | ]
97 |
98 | resources = ["*"]
99 | }
100 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.vpc.aws_iam_policy_document.vpc_flow_log_cloudwatch
File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/modules/aws-vpc/vpc-flow-logs.tf:83-100
Calling File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/c4-02-vpc-module.tf:2-43
83 | data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
84 | count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
85 |
86 | statement {
87 | sid = "AWSVPCFlowLogsPushToCloudWatch"
88 |
89 | effect = "Allow"
90 |
91 | actions = [
92 | "logs:CreateLogStream",
93 | "logs:PutLogEvents",
94 | "logs:DescribeLogGroups",
95 | "logs:DescribeLogStreams",
96 | ]
97 |
98 | resources = ["*"]
99 | }
100 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc.aws_subnet.public[0]
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/main.tf:371-394
Calling File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/c4-02-vpc-module.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
371 | resource "aws_subnet" "public" {
372 | count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0
373 |
374 | vpc_id = local.vpc_id
375 | cidr_block = element(concat(var.public_subnets, [""]), count.index)
376 | availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
377 | availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
378 | map_public_ip_on_launch = var.map_public_ip_on_launch
379 | assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation
380 |
381 | ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
382 |
383 | tags = merge(
384 | {
385 | "Name" = format(
386 | "%s-${var.public_subnet_suffix}-%s",
387 | var.name,
388 | element(var.azs, count.index),
389 | )
390 | },
391 | var.tags,
392 | var.public_subnet_tags,
393 | )
394 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc.aws_subnet.public[1]
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/main.tf:371-394
Calling File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/c4-02-vpc-module.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
371 | resource "aws_subnet" "public" {
372 | count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0
373 |
374 | vpc_id = local.vpc_id
375 | cidr_block = element(concat(var.public_subnets, [""]), count.index)
376 | availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
377 | availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
378 | map_public_ip_on_launch = var.map_public_ip_on_launch
379 | assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation
380 |
381 | ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
382 |
383 | tags = merge(
384 | {
385 | "Name" = format(
386 | "%s-${var.public_subnet_suffix}-%s",
387 | var.name,
388 | element(var.azs, count.index),
389 | )
390 | },
391 | var.tags,
392 | var.public_subnet_tags,
393 | )
394 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.vpc.aws_iam_policy_document.vpc_flow_log_cloudwatch
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/vpc-flow-logs.tf:83-100
Calling File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/c4-02-vpc-module.tf:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
83 | data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
84 | count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
85 |
86 | statement {
87 | sid = "AWSVPCFlowLogsPushToCloudWatch"
88 |
89 | effect = "Allow"
90 |
91 | actions = [
92 | "logs:CreateLogStream",
93 | "logs:PutLogEvents",
94 | "logs:DescribeLogGroups",
95 | "logs:DescribeLogStreams",
96 | ]
97 |
98 | resources = ["*"]
99 | }
100 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.vpc.aws_iam_policy_document.vpc_flow_log_cloudwatch
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/vpc-flow-logs.tf:83-100
Calling File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/c4-02-vpc-module.tf:2-43
83 | data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
84 | count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0
85 |
86 | statement {
87 | sid = "AWSVPCFlowLogsPushToCloudWatch"
88 |
89 | effect = "Allow"
90 |
91 | actions = [
92 | "logs:CreateLogStream",
93 | "logs:PutLogEvents",
94 | "logs:DescribeLogGroups",
95 | "logs:DescribeLogStreams",
96 | ]
97 |
98 | resources = ["*"]
99 | }
100 | }
Check: CKV_AWS_70: "Ensure S3 bucket does not allow an action with any Principal"
FAILED for resource: aws_s3_bucket.s3_bucket
File: /19-Develop-Terraform-Module-from-scratch/v2-host-static-website-on-s3-using-terraform-manifests/main.tf:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-23.html
2 | resource "aws_s3_bucket" "s3_bucket" {
3 | bucket = var.bucket_name
4 | acl = "public-read"
5 | policy = < 0 ? 1 : 0
681 |
682 | vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
683 | subnet_ids = aws_subnet.public.*.id
684 |
685 | tags = merge(
686 | {
687 | "Name" = format("%s-${var.public_subnet_suffix}", var.name)
688 | },
689 | var.tags,
690 | var.public_acl_tags,
691 | )
692 | }
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc.aws_network_acl.private[0]
File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/modules/aws-vpc/main.tf:732-745
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
732 | resource "aws_network_acl" "private" {
733 | count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0
734 |
735 | vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
736 | subnet_ids = aws_subnet.private.*.id
737 |
738 | tags = merge(
739 | {
740 | "Name" = format("%s-${var.private_subnet_suffix}", var.name)
741 | },
742 | var.tags,
743 | var.private_acl_tags,
744 | )
745 | }
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc.aws_network_acl.database[0]
File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/modules/aws-vpc/main.tf:891-904
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
891 | resource "aws_network_acl" "database" {
892 | count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0
893 |
894 | vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
895 | subnet_ids = aws_subnet.database.*.id
896 |
897 | tags = merge(
898 | {
899 | "Name" = format("%s-${var.database_subnet_suffix}", var.name)
900 | },
901 | var.tags,
902 | var.database_acl_tags,
903 | )
904 | }
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc.aws_network_acl.public[0]
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/main.tf:679-692
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
679 | resource "aws_network_acl" "public" {
680 | count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0
681 |
682 | vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
683 | subnet_ids = aws_subnet.public.*.id
684 |
685 | tags = merge(
686 | {
687 | "Name" = format("%s-${var.public_subnet_suffix}", var.name)
688 | },
689 | var.tags,
690 | var.public_acl_tags,
691 | )
692 | }
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc.aws_network_acl.private[0]
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/main.tf:732-745
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
732 | resource "aws_network_acl" "private" {
733 | count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0
734 |
735 | vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
736 | subnet_ids = aws_subnet.private.*.id
737 |
738 | tags = merge(
739 | {
740 | "Name" = format("%s-${var.private_subnet_suffix}", var.name)
741 | },
742 | var.tags,
743 | var.private_acl_tags,
744 | )
745 | }
Check: CKV2_AWS_1: "Ensure that all NACL are attached to subnets"
FAILED for resource: module.vpc.aws_network_acl.database[0]
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/main.tf:891-904
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-nacl-are-attached-to-subnets.html
891 | resource "aws_network_acl" "database" {
892 | count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0
893 |
894 | vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
895 | subnet_ids = aws_subnet.database.*.id
896 |
897 | tags = merge(
898 | {
899 | "Name" = format("%s-${var.database_subnet_suffix}", var.name)
900 | },
901 | var.tags,
902 | var.database_acl_tags,
903 | )
904 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc.aws_vpc.this[0]
File: /18-Develop-Terraform-Modules-Locally/backup-terraform-manifests/modules/aws-vpc/main.tf:25-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
25 | resource "aws_vpc" "this" {
26 | count = var.create_vpc ? 1 : 0
27 |
28 | cidr_block = var.cidr
29 | instance_tenancy = var.instance_tenancy
30 | enable_dns_hostnames = var.enable_dns_hostnames
31 | enable_dns_support = var.enable_dns_support
32 | enable_classiclink = var.enable_classiclink
33 | enable_classiclink_dns_support = var.enable_classiclink_dns_support
34 | assign_generated_ipv6_cidr_block = var.enable_ipv6
35 |
36 | tags = merge(
37 | {
38 | "Name" = format("%s", var.name)
39 | },
40 | var.tags,
41 | var.vpc_tags,
42 | )
43 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc.aws_vpc.this[0]
File: /18-Develop-Terraform-Modules-Locally/terraform-manifests/modules/aws-vpc/main.tf:25-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
25 | resource "aws_vpc" "this" {
26 | count = var.create_vpc ? 1 : 0
27 |
28 | cidr_block = var.cidr
29 | instance_tenancy = var.instance_tenancy
30 | enable_dns_hostnames = var.enable_dns_hostnames
31 | enable_dns_support = var.enable_dns_support
32 | enable_classiclink = var.enable_classiclink
33 | enable_classiclink_dns_support = var.enable_classiclink_dns_support
34 | assign_generated_ipv6_cidr_block = var.enable_ipv6
35 |
36 | tags = merge(
37 | {
38 | "Name" = format("%s", var.name)
39 | },
40 | var.tags,
41 | var.vpc_tags,
42 | )
43 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.cw_canary_bucket
File: /17-AWS-CloudWatch/cw-synthetics-manifests-v2/c14-05-cloudwatch-synthetics.tf:52-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
52 | resource "aws_s3_bucket" "cw_canary_bucket" {
53 | bucket = "cw-canary-bucket-${random_pet.this.id}"
54 | acl = "private"
55 | force_destroy = true
56 |
57 | tags = {
58 | Name = "My bucket"
59 | Environment = "Dev"
60 | }
61 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.cw_canary_bucket
File: /17-AWS-CloudWatch/terraform-manifests/c14-05-cloudwatch-synthetics.tf:52-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
52 | resource "aws_s3_bucket" "cw_canary_bucket" {
53 | bucket = "cw-canary-bucket-${random_pet.this.id}"
54 | acl = "private"
55 | force_destroy = true
56 |
57 | tags = {
58 | Name = "My bucket"
59 | Environment = "Dev"
60 | }
61 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.s3_bucket
File: /19-Develop-Terraform-Module-from-scratch/v2-host-static-website-on-s3-using-terraform-manifests/main.tf:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
2 | resource "aws_s3_bucket" "s3_bucket" {
3 | bucket = var.bucket_name
4 | acl = "public-read"
5 | policy = < details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-04-for_each-with-az-instancetype-check/terraform-manifests/c5-ec2instance.tf:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | user_data = file("${path.module}/app1-install.sh")
6 | key_name = var.instance_keypair
7 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
8 | # Create EC2 Instance in all Availabilty Zones of a VPC
9 | #for_each = toset(data.aws_availability_zones.my_azones.names)
10 | for_each = toset(keys({for az, details in data.aws_ec2_instance_type_offerings.my_ins_type:
11 | az => details.instance_types if length(details.instance_types) != 0 }))
12 | availability_zone = each.key # You can also use each.value because for list items each.key == each.value
13 | tags = {
14 | "Name" = "For-Each-Demo-${each.key}"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myec2vm[1]
File: /05-Terraform-Loops-MetaArguments-SplatOperator/05-01-MetaArgument-Count-For-Loops-Lists-Maps/terraform-manifests/c5-ec2instance.tf:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
2 | resource "aws_instance" "myec2vm" {
3 | ami = data.aws_ami.amzlinux2.id
4 | instance_type = var.instance_type
5 | #instance_type = var.instance_type_list[1] # For List
6 | #nstance_type = var.instance_type_map["prod"] # For Map
7 | user_data = file("${path.module}/app1-install.sh")
8 | key_name = var.instance_keypair
9 | vpc_security_group_ids = [ aws_security_group.vpc-ssh.id, aws_security_group.vpc-web.id ]
10 | count = 2
11 | tags = {
12 | "Name" = "Count-Demo-${count.index}"
13 | }
14 | }
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools