Repository | trussworks / terraform-layout-example |
Description | Example of a Truss Terraform project |
Stars | 153 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module trussworks/logs/aws:~>16.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module trussworks/config/aws:~>7.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module trussworks/iam-cross-acct-dest/aws:4.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module trussworks/guardduty-notifications/aws:~>6.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/notify-slack/aws:~>6.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module trussworks/route53-query-logs/aws:~>4.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module trussworks/logs/aws:16.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,302 [MainThread ] [WARNI] Failed to download module trussworks/cloudtrail/aws:5.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,303 [MainThread ] [WARNI] Failed to download module trussworks/org-scp/aws:~>1.6.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,303 [MainThread ] [WARNI] Failed to download module trussworks/mfa/aws:~>4.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,303 [MainThread ] [WARNI] Failed to download module trussworks/iam-user-group/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,304 [MainThread ] [WARNI] Failed to download module trussworks/iam-cross-acct-dest/aws:~>4.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,304 [MainThread ] [WARNI] Failed to download module trussworks/alb-web-containers/aws:~>9.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,304 [MainThread ] [WARNI] Failed to download module trussworks/ecs-service/aws:~>7.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,304 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/rds/aws:~>6.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:42,304 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:~>5.1.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:54:43,108 [MainThread ] [WARNI] Failed to find context for resource.aws_iam_user.admins["alice.org-root"]
2023-10-05 14:54:43,109 [MainThread ] [WARNI] Failed to find context for resource.aws_iam_user.admins["bob.org-root"]
terraform scan results:
Passed checks: 229, Failed checks: 52, Skipped checks: 0
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.app_my_webapp_prod_ecr.aws_ecr_repository.main
File: /modules/aws-example-ecr-repo/main.tf:6-9
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:40-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
6 | resource "aws_ecr_repository" "main" {
7 | name = var.name
8 | tags = merge(local.tags, var.tags)
9 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.app_my_webapp_prod_ecr.aws_ecr_repository.main
File: /modules/aws-example-ecr-repo/main.tf:6-9
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:40-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
6 | resource "aws_ecr_repository" "main" {
7 | name = var.name
8 | tags = merge(local.tags, var.tags)
9 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.app_my_webapp_prod_ecr.aws_ecr_repository.main
File: /modules/aws-example-ecr-repo/main.tf:6-9
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:40-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
6 | resource "aws_ecr_repository" "main" {
7 | name = var.name
8 | tags = merge(local.tags, var.tags)
9 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.app_my_webapp_sandbox_ecr.aws_ecr_repository.main
File: /modules/aws-example-ecr-repo/main.tf:6-9
Calling File: /orgname-sandbox/app-my-webapp-global/main.tf:27-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
6 | resource "aws_ecr_repository" "main" {
7 | name = var.name
8 | tags = merge(local.tags, var.tags)
9 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.app_my_webapp_sandbox_ecr.aws_ecr_repository.main
File: /modules/aws-example-ecr-repo/main.tf:6-9
Calling File: /orgname-sandbox/app-my-webapp-global/main.tf:27-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
6 | resource "aws_ecr_repository" "main" {
7 | name = var.name
8 | tags = merge(local.tags, var.tags)
9 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.app_my_webapp_sandbox_ecr.aws_ecr_repository.main
File: /modules/aws-example-ecr-repo/main.tf:6-9
Calling File: /orgname-sandbox/app-my-webapp-global/main.tf:27-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
6 | resource "aws_ecr_repository" "main" {
7 | name = var.name
8 | tags = merge(local.tags, var.tags)
9 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_prod.aws_ssm_parameter.database_name
File: /modules/aws-example-webapp/db.tf:78-83
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:46-67
78 | resource "aws_ssm_parameter" "database_name" {
79 | name = format("/app-my-webapp-%s/database-name", var.environment)
80 | description = "Database name for my-webapp"
81 | type = "SecureString"
82 | value = var.db_name
83 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_prod.aws_ssm_parameter.database_user
File: /modules/aws-example-webapp/db.tf:85-90
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:46-67
85 | resource "aws_ssm_parameter" "database_user" {
86 | name = format("/app-my-webapp-%s/database-user", var.environment)
87 | description = "Database user for my-webapp"
88 | type = "SecureString"
89 | value = var.db_user
90 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_prod.aws_ssm_parameter.database_host
File: /modules/aws-example-webapp/db.tf:103-108
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:46-67
103 | resource "aws_ssm_parameter" "database_host" {
104 | name = format("/app-my-webapp-%s/database-host", var.environment)
105 | description = "Database host for my-webapp"
106 | type = "SecureString"
107 | value = module.my_webapp_db.this_db_instance_endpoint
108 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_dev.aws_ssm_parameter.database_name
File: /modules/aws-example-webapp/db.tf:78-83
Calling File: /orgname-sandbox/app-my-webapp-dev/main.tf:75-91
78 | resource "aws_ssm_parameter" "database_name" {
79 | name = format("/app-my-webapp-%s/database-name", var.environment)
80 | description = "Database name for my-webapp"
81 | type = "SecureString"
82 | value = var.db_name
83 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_dev.aws_ssm_parameter.database_user
File: /modules/aws-example-webapp/db.tf:85-90
Calling File: /orgname-sandbox/app-my-webapp-dev/main.tf:75-91
85 | resource "aws_ssm_parameter" "database_user" {
86 | name = format("/app-my-webapp-%s/database-user", var.environment)
87 | description = "Database user for my-webapp"
88 | type = "SecureString"
89 | value = var.db_user
90 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_dev.aws_ssm_parameter.database_host
File: /modules/aws-example-webapp/db.tf:103-108
Calling File: /orgname-sandbox/app-my-webapp-dev/main.tf:75-91
103 | resource "aws_ssm_parameter" "database_host" {
104 | name = format("/app-my-webapp-%s/database-host", var.environment)
105 | description = "Database host for my-webapp"
106 | type = "SecureString"
107 | value = module.my_webapp_db.this_db_instance_endpoint
108 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_experimental.aws_ssm_parameter.database_name
File: /modules/aws-example-webapp/db.tf:78-83
Calling File: /orgname-sandbox/app-my-webapp-experimental/main.tf:75-91
78 | resource "aws_ssm_parameter" "database_name" {
79 | name = format("/app-my-webapp-%s/database-name", var.environment)
80 | description = "Database name for my-webapp"
81 | type = "SecureString"
82 | value = var.db_name
83 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_experimental.aws_ssm_parameter.database_user
File: /modules/aws-example-webapp/db.tf:85-90
Calling File: /orgname-sandbox/app-my-webapp-experimental/main.tf:75-91
85 | resource "aws_ssm_parameter" "database_user" {
86 | name = format("/app-my-webapp-%s/database-user", var.environment)
87 | description = "Database user for my-webapp"
88 | type = "SecureString"
89 | value = var.db_user
90 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.my_webapp_experimental.aws_ssm_parameter.database_host
File: /modules/aws-example-webapp/db.tf:103-108
Calling File: /orgname-sandbox/app-my-webapp-experimental/main.tf:75-91
103 | resource "aws_ssm_parameter" "database_host" {
104 | name = format("/app-my-webapp-%s/database-host", var.environment)
105 | description = "Database host for my-webapp"
106 | type = "SecureString"
107 | value = module.my_webapp_db.this_db_instance_endpoint
108 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.my_webapp_prod.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:46-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.my_webapp_prod.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:46-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.my_webapp_prod.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:46-67
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: module.my_webapp_prod.aws_ecs_cluster.app_my_webapp
File: /modules/aws-example-webapp/main.tf:162-173
Calling File: /orgname-prod/app-my-webapp-prod/main.tf:46-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
162 | resource "aws_ecs_cluster" "app_my_webapp" {
163 | name = format("app-my-webapp-%s", var.environment)
164 |
165 | setting {
166 | name = "containerInsights"
167 | value = "disabled"
168 | }
169 |
170 | lifecycle {
171 | create_before_destroy = true
172 | }
173 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.my_webapp_dev.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-sandbox/app-my-webapp-dev/main.tf:75-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.my_webapp_dev.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-sandbox/app-my-webapp-dev/main.tf:75-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.my_webapp_dev.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-sandbox/app-my-webapp-dev/main.tf:75-91
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: module.my_webapp_dev.aws_ecs_cluster.app_my_webapp
File: /modules/aws-example-webapp/main.tf:162-173
Calling File: /orgname-sandbox/app-my-webapp-dev/main.tf:75-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
162 | resource "aws_ecs_cluster" "app_my_webapp" {
163 | name = format("app-my-webapp-%s", var.environment)
164 |
165 | setting {
166 | name = "containerInsights"
167 | value = "disabled"
168 | }
169 |
170 | lifecycle {
171 | create_before_destroy = true
172 | }
173 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.my_webapp_experimental.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-sandbox/app-my-webapp-experimental/main.tf:75-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.my_webapp_experimental.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-sandbox/app-my-webapp-experimental/main.tf:75-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.my_webapp_experimental.aws_iam_policy_document.cloudwatch_logs_allow_kms
File: /modules/aws-example-webapp/main.tf:104-140
Calling File: /orgname-sandbox/app-my-webapp-experimental/main.tf:75-91
104 | data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
105 | statement {
106 | sid = "Enable IAM User Permissions"
107 | effect = "Allow"
108 |
109 | principals {
110 | type = "AWS"
111 | identifiers = [
112 | "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
113 | ]
114 | }
115 |
116 | actions = [
117 | "kms:*",
118 | ]
119 | resources = ["*"]
120 | }
121 |
122 | statement {
123 | sid = "Allow logs KMS access"
124 | effect = "Allow"
125 |
126 | principals {
127 | type = "Service"
128 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
129 | }
130 |
131 | actions = [
132 | "kms:Encrypt*",
133 | "kms:Decrypt*",
134 | "kms:ReEncrypt*",
135 | "kms:GenerateDataKey*",
136 | "kms:Describe*"
137 | ]
138 | resources = ["*"]
139 | }
140 | }
Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
FAILED for resource: module.my_webapp_experimental.aws_ecs_cluster.app_my_webapp
File: /modules/aws-example-webapp/main.tf:162-173
Calling File: /orgname-sandbox/app-my-webapp-experimental/main.tf:75-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
162 | resource "aws_ecs_cluster" "app_my_webapp" {
163 | name = format("app-my-webapp-%s", var.environment)
164 |
165 | setting {
166 | name = "containerInsights"
167 | value = "disabled"
168 | }
169 |
170 | lifecycle {
171 | create_before_destroy = true
172 | }
173 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.infra_users["alice"]
File: /orgname-id/admin-global/users.tf:49-53
49 | resource "aws_iam_user" "infra_users" {
50 | for_each = toset(local.infra_users)
51 | name = each.value
52 | force_destroy = true
53 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.billing_users["charlie"]
File: /orgname-id/admin-global/users.tf:55-59
55 | resource "aws_iam_user" "billing_users" {
56 | for_each = toset(local.billing_users)
57 | name = each.value
58 | force_destroy = true
59 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.engineer_users["edward"]
File: /orgname-id/admin-global/users.tf:61-65
61 | resource "aws_iam_user" "engineer_users" {
62 | for_each = toset(local.engineer_users)
63 | name = each.value
64 | force_destroy = true
65 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.infra_users["bob"]
File: /orgname-id/admin-global/users.tf:49-53
49 | resource "aws_iam_user" "infra_users" {
50 | for_each = toset(local.infra_users)
51 | name = each.value
52 | force_destroy = true
53 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.engineer_users["donna"]
File: /orgname-id/admin-global/users.tf:61-65
61 | resource "aws_iam_user" "engineer_users" {
62 | for_each = toset(local.engineer_users)
63 | name = each.value
64 | force_destroy = true
65 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.notify_slack_useast1
File: /orgname-infra/admin-global/slack.tf:142-146
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
142 | resource "aws_sns_topic" "notify_slack_useast1" {
143 | provider = aws.us-east-1
144 |
145 | name = "notify-slack"
146 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.notify_slack_uswest2
File: /orgname-infra/admin-global/slack.tf:148-150
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
148 | resource "aws_sns_topic" "notify_slack_uswest2" {
149 | name = "notify-slack"
150 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.limited_billing_access
File: /orgname-org-root/admin-global/users.tf:73-95
73 | data "aws_iam_policy_document" "limited_billing_access" {
74 | statement {
75 | sid = "AllowAccessToBudgetsAndCostExplorer"
76 | effect = "Allow"
77 | actions = [
78 | "aws-portal:ViewBilling",
79 | "aws-portal:ViewUsage",
80 | "budgets:ViewBudget",
81 | "ce:View*",
82 | "pricing:*"
83 | ]
84 | resources = ["*"]
85 | }
86 | statement {
87 | sid = "DenyAccessToAccountAndPaymentMethod"
88 | effect = "Deny"
89 | actions = [
90 | "aws-portal:*Account",
91 | "aws-portal:*PaymentMethods",
92 | ]
93 | resources = ["*"]
94 | }
95 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admins["alice.org-root"]
File: /orgname-org-root/admin-global/users.tf:15-19
15 | resource "aws_iam_user" "admins" {
16 | for_each = toset(local.admin_users)
17 | name = each.value
18 | force_destroy = true
19 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_role_policy_attachment.admin_administrator_access
File: /orgname-org-root/admin-global/users.tf:61-64
61 | resource "aws_iam_role_policy_attachment" "admin_administrator_access" {
62 | role = aws_iam_role.admin.name
63 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
64 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admins["bob.org-root"]
File: /orgname-org-root/admin-global/users.tf:15-19
15 | resource "aws_iam_user" "admins" {
16 | for_each = toset(local.admin_users)
17 | name = each.value
18 | force_destroy = true
19 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.prod_vpc.aws_eip.nat[0]
File: /modules/aws-example-vpc/main.tf:43-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
43 | resource "aws_eip" "nat" {
44 | count = var.single_nat_gateway ? 1 : 2
45 | vpc = true
46 |
47 | lifecycle {
48 | prevent_destroy = true
49 | }
50 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.sandbox_vpc.aws_eip.nat[0]
File: /modules/aws-example-vpc/main.tf:43-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
43 | resource "aws_eip" "nat" {
44 | count = var.single_nat_gateway ? 1 : 2
45 | vpc = true
46 |
47 | lifecycle {
48 | prevent_destroy = true
49 | }
50 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.prod_vpc.aws_eip.nat[1]
File: /modules/aws-example-vpc/main.tf:43-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
43 | resource "aws_eip" "nat" {
44 | count = var.single_nat_gateway ? 1 : 2
45 | vpc = true
46 |
47 | lifecycle {
48 | prevent_destroy = true
49 | }
50 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.my_webapp_prod.aws_security_group.rds_sg
File: /modules/aws-example-webapp/db.tf:47-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
47 | resource "aws_security_group" "rds_sg" {
48 | name = format("rds-my-webapp-%s", var.environment)
49 | description = format("my-webapp-%s RDS security group", var.environment)
50 | vpc_id = var.vpc_id
51 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.my_webapp_dev.aws_security_group.rds_sg
File: /modules/aws-example-webapp/db.tf:47-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
47 | resource "aws_security_group" "rds_sg" {
48 | name = format("rds-my-webapp-%s", var.environment)
49 | description = format("my-webapp-%s RDS security group", var.environment)
50 | vpc_id = var.vpc_id
51 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.my_webapp_experimental.aws_security_group.rds_sg
File: /modules/aws-example-webapp/db.tf:47-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
47 | resource "aws_security_group" "rds_sg" {
48 | name = format("rds-my-webapp-%s", var.environment)
49 | description = format("my-webapp-%s RDS security group", var.environment)
50 | vpc_id = var.vpc_id
51 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: aws_guardduty_detector.member
File: /orgname-prod/admin-global/main.tf:42-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
42 | resource "aws_guardduty_detector" "member" {
43 | enable = true
44 | }
Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
FAILED for resource: aws_guardduty_detector.member
File: /orgname-sandbox/admin-global/main.tf:42-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
42 | resource "aws_guardduty_detector" "member" {
43 | enable = true
44 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.example_com
File: /orgname-infra/admin-global/dns.tf:6-8
6 | resource "aws_route53_zone" "example_com" {
7 | name = "example.com."
8 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.prod_example_com
File: /orgname-prod/admin-global/dns.tf:4-6
4 | resource "aws_route53_zone" "prod_example_com" {
5 | name = "prod.example.com."
6 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.sandbox_example_com
File: /orgname-sandbox/admin-global/dns.tf:4-6
4 | resource "aws_route53_zone" "sandbox_example_com" {
5 | name = "sandbox.example.com."
6 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.example_com
File: /orgname-infra/admin-global/dns.tf:6-8
6 | resource "aws_route53_zone" "example_com" {
7 | name = "example.com."
8 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.prod_example_com
File: /orgname-prod/admin-global/dns.tf:4-6
4 | resource "aws_route53_zone" "prod_example_com" {
5 | name = "prod.example.com."
6 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.sandbox_example_com
File: /orgname-sandbox/admin-global/dns.tf:4-6
4 | resource "aws_route53_zone" "sandbox_example_com" {
5 | name = "sandbox.example.com."
6 | }
github_actions scan results:
Passed checks: 7, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(validate)
File: /.github/workflows/validate.yml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools