ELM-1430 give test access to civica and g4s servers

[pricemg]

added test access for civica and g4s

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[modernisation-platform-ci]

@pricemg Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #6 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #7 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #8 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #9 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #10 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #11 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #12 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #13 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #14 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #15 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #16 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #17 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #18 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #19 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #20 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #21 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #22 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #23 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #24 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #25 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #26 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #27 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #28 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #29 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #30 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #31 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:128
────────────────────────────────────────────────────────────────────────────────
125 resource "aws_s3_bucket_versioning" "civica" {
126 bucket = aws_s3_bucket.civica_landing_bucket.id
127 versioning_configuration {
128 [ status = "Disabled"
129 }
130 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #32 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:193
────────────────────────────────────────────────────────────────────────────────
190 resource "aws_s3_bucket_versioning" "g4s" {
191 bucket = aws_s3_bucket.g4s_landing_bucket.id
192 versioning_configuration {
193 [ status = "Disabled"
194 }
195 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #33 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #34 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #35 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #36 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:63
────────────────────────────────────────────────────────────────────────────────
60 resource "aws_s3_bucket_versioning" "capita" {
61 bucket = aws_s3_bucket.capita_landing_bucket.id
62 versioning_configuration {
63 [ status = "Disabled"
64 }
65 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #37 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #38 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #39 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #40 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #41 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #42 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_capita.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "capita" {
58 name_prefix = "transfer_capita_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #43 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_civica.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "civica" {
58 name_prefix = "transfer_civica_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #44 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_g4s.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "g4s" {
58 name_prefix = "transfer_g4s_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 335.297µs
parsing 11.853612ms
adaptation 2.025945ms
checks 4.256069ms
total 18.470923ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 118
files read 18

results
──────────────────────────────────────────
passed 73
ignored 0
critical 0
high 30
medium 6
low 8

73 passed, 44 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 250, Failed checks: 45, Skipped checks: 0

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_1
	File: /server_access_capita.tf:67-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		67 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_1" {
		68 |   security_group_id = aws_security_group.capita.id
		69 | 
		70 |   cidr_ipv4   = "82.203.33.112/28"
		71 |   ip_protocol = "tcp"
		72 |   from_port   = 2222
		73 |   to_port     = 2222
		74 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_2
	File: /server_access_capita.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		76 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_2" {
		77 |   security_group_id = aws_security_group.capita.id
		78 | 
		79 |   cidr_ipv4   = "82.203.33.128/28"
		80 |   ip_protocol = "tcp"
		81 |   from_port   = 2222
		82 |   to_port     = 2222
		83 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_3
	File: /server_access_capita.tf:85-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_3" {
		86 |   security_group_id = aws_security_group.capita.id
		87 | 
		88 |   cidr_ipv4   = "85.115.52.0/24"
		89 |   ip_protocol = "tcp"
		90 |   from_port   = 2222
		91 |   to_port     = 2222
		92 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_4
	File: /server_access_capita.tf:94-101
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		94  | resource "aws_vpc_security_group_ingress_rule" "capita_ip_4" {
		95  |   security_group_id = aws_security_group.capita.id
		96  | 
		97  |   cidr_ipv4   = "85.115.53.0/24"
		98  |   ip_protocol = "tcp"
		99  |   from_port   = 2222
		100 |   to_port     = 2222
		101 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_5
	File: /server_access_capita.tf:103-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_5" {
		104 |   security_group_id = aws_security_group.capita.id
		105 | 
		106 |   cidr_ipv4   = "85.115.54.0/24"
		107 |   ip_protocol = "tcp"
		108 |   from_port   = 2222
		109 |   to_port     = 2222
		110 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_fynhy_ip
	File: /server_access_test.tf:91-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		91  | resource "aws_vpc_security_group_ingress_rule" "test_fynhy_ip" {
		92  |   security_group_id = aws_security_group.test.id
		93  | 
		94  |   ip_protocol = "tcp"
		95  |   from_port   = 2222
		96  |   to_port     = 2222
		97  | 
		98  |   for_each  = { for cidr_ipv4 in local.cidr_ipv4s : cidr_ipv4 => cidr_ipv4 }
		99  |   cidr_ipv4 = each.key
		100 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/s3.tf line 152:
 152: resource "random_string" "g4s" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #6 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #7 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #8 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #9 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #10 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #11 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #12 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #13 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #14 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #15 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #16 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #17 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #18 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #19 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #20 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #21 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #22 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #23 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #24 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #25 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #26 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #27 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #28 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #29 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #30 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #31 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:128
────────────────────────────────────────────────────────────────────────────────
125 resource "aws_s3_bucket_versioning" "civica" {
126 bucket = aws_s3_bucket.civica_landing_bucket.id
127 versioning_configuration {
128 [ status = "Disabled"
129 }
130 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #32 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:193
────────────────────────────────────────────────────────────────────────────────
190 resource "aws_s3_bucket_versioning" "g4s" {
191 bucket = aws_s3_bucket.g4s_landing_bucket.id
192 versioning_configuration {
193 [ status = "Disabled"
194 }
195 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #33 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #34 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #35 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #36 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:63
────────────────────────────────────────────────────────────────────────────────
60 resource "aws_s3_bucket_versioning" "capita" {
61 bucket = aws_s3_bucket.capita_landing_bucket.id
62 versioning_configuration {
63 [ status = "Disabled"
64 }
65 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #37 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #38 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #39 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #40 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #41 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #42 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_capita.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "capita" {
58 name_prefix = "transfer_capita_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #43 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_civica.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "civica" {
58 name_prefix = "transfer_civica_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #44 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_g4s.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "g4s" {
58 name_prefix = "transfer_g4s_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 367.067µs
parsing 14.325704ms
adaptation 955.624µs
checks 3.688593ms
total 19.336988ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 120
files read 18

results
──────────────────────────────────────────
passed 73
ignored 0
critical 0
high 30
medium 6
low 8

73 passed, 44 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 254, Failed checks: 46, Skipped checks: 0

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_1
	File: /server_access_capita.tf:67-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		67 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_1" {
		68 |   security_group_id = aws_security_group.capita.id
		69 | 
		70 |   cidr_ipv4   = "82.203.33.112/28"
		71 |   ip_protocol = "tcp"
		72 |   from_port   = 2222
		73 |   to_port     = 2222
		74 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_2
	File: /server_access_capita.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		76 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_2" {
		77 |   security_group_id = aws_security_group.capita.id
		78 | 
		79 |   cidr_ipv4   = "82.203.33.128/28"
		80 |   ip_protocol = "tcp"
		81 |   from_port   = 2222
		82 |   to_port     = 2222
		83 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_3
	File: /server_access_capita.tf:85-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_3" {
		86 |   security_group_id = aws_security_group.capita.id
		87 | 
		88 |   cidr_ipv4   = "85.115.52.0/24"
		89 |   ip_protocol = "tcp"
		90 |   from_port   = 2222
		91 |   to_port     = 2222
		92 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_4
	File: /server_access_capita.tf:94-101
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		94  | resource "aws_vpc_security_group_ingress_rule" "capita_ip_4" {
		95  |   security_group_id = aws_security_group.capita.id
		96  | 
		97  |   cidr_ipv4   = "85.115.53.0/24"
		98  |   ip_protocol = "tcp"
		99  |   from_port   = 2222
		100 |   to_port     = 2222
		101 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_5
	File: /server_access_capita.tf:103-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_5" {
		104 |   security_group_id = aws_security_group.capita.id
		105 | 
		106 |   cidr_ipv4   = "85.115.54.0/24"
		107 |   ip_protocol = "tcp"
		108 |   from_port   = 2222
		109 |   to_port     = 2222
		110 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.civica_ip_1
	File: /server_access_civica.tf:67-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		67 | resource "aws_vpc_security_group_ingress_rule" "civica_ip_1" {
		68 |   security_group_id = aws_security_group.civica.id
		69 | 
		70 |   cidr_ipv4   = "20.0.26.153"
		71 |   ip_protocol = "tcp"
		72 |   from_port   = 2222
		73 |   to_port     = 2222
		74 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_fynhy_ip
	File: /server_access_test.tf:91-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		91  | resource "aws_vpc_security_group_ingress_rule" "test_fynhy_ip" {
		92  |   security_group_id = aws_security_group.test.id
		93  | 
		94  |   ip_protocol = "tcp"
		95  |   from_port   = 2222
		96  |   to_port     = 2222
		97  | 
		98  |   for_each  = { for cidr_ipv4 in local.cidr_ipv4s : cidr_ipv4 => cidr_ipv4 }
		99  |   cidr_ipv4 = each.key
		100 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/s3.tf line 152:
 152: resource "random_string" "g4s" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[ep-93]

Failing plans

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:136-144
────────────────────────────────────────────────────────────────────────────────
136 resource "aws_s3_bucket_server_side_encryption_configuration" "civica_landing_bucket" {
137 bucket = aws_s3_bucket.civica_landing_bucket.id
138
139 rule {
140 apply_server_side_encryption_by_default {
141 sse_algorithm = "AES256"
142 }
143 }
144 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:219-227
────────────────────────────────────────────────────────────────────────────────
219 resource "aws_s3_bucket_server_side_encryption_configuration" "g4s_landing_bucket" {
220 bucket = aws_s3_bucket.g4s_landing_bucket.id
221
222 rule {
223 apply_server_side_encryption_by_default {
224 sse_algorithm = "AES256"
225 }
226 }
227 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:291-299
────────────────────────────────────────────────────────────────────────────────
291 resource "aws_s3_bucket_server_side_encryption_configuration" "data_store_bucket" {
292 bucket = aws_s3_bucket.data_store_bucket.id
293
294 rule {
295 apply_server_side_encryption_by_default {
296 sse_algorithm = "AES256"
297 }
298 }
299 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:52-60
────────────────────────────────────────────────────────────────────────────────
52 resource "aws_s3_bucket_server_side_encryption_configuration" "capita_landing_bucket" {
53 bucket = aws_s3_bucket.capita_landing_bucket.id
54
55 rule {
56 apply_server_side_encryption_by_default {
57 sse_algorithm = "AES256"
58 }
59 }
60 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #5 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:100
────────────────────────────────────────────────────────────────────────────────
97 resource "aws_s3_bucket_versioning" "capita_landing_bucket" {
98 bucket = aws_s3_bucket.capita_landing_bucket.id
99 versioning_configuration {
100 [ status = "Disabled"
101 }
102 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:183
────────────────────────────────────────────────────────────────────────────────
180 resource "aws_s3_bucket_versioning" "civica_landing_bucket" {
181 bucket = aws_s3_bucket.civica_landing_bucket.id
182 versioning_configuration {
183 [ status = "Disabled"
184 }
185 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #7 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:266
────────────────────────────────────────────────────────────────────────────────
263 resource "aws_s3_bucket_versioning" "g4s_landing_bucket" {
264 bucket = aws_s3_bucket.g4s_landing_bucket.id
265 versioning_configuration {
266 [ status = "Disabled"
267 }
268 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #8 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:287-289
────────────────────────────────────────────────────────────────────────────────
287 resource "aws_s3_bucket" "data_store_bucket" {
288 bucket_prefix = "em-data-store-"
289 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #9 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #10 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_capita.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "capita" {
58 name_prefix = "transfer_capita_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #11 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_civica.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "civica" {
58 name_prefix = "transfer_civica_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #12 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_g4s.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "g4s" {
58 name_prefix = "transfer_g4s_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 452.281µs
parsing 10.630799ms
adaptation 1.057049ms
checks 6.891042ms
total 19.031171ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 130
files read 18

results
──────────────────────────────────────────
passed 104
ignored 0
critical 0
high 4
medium 5
low 3

104 passed, 12 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 276, Failed checks: 40, Skipped checks: 0

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_1
	File: /server_access_capita.tf:67-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		67 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_1" {
		68 |   security_group_id = aws_security_group.capita.id
		69 | 
		70 |   cidr_ipv4   = "82.203.33.112/28"
		71 |   ip_protocol = "tcp"
		72 |   from_port   = 2222
		73 |   to_port     = 2222
		74 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_2
	File: /server_access_capita.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		76 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_2" {
		77 |   security_group_id = aws_security_group.capita.id
		78 | 
		79 |   cidr_ipv4   = "82.203.33.128/28"
		80 |   ip_protocol = "tcp"
		81 |   from_port   = 2222
		82 |   to_port     = 2222
		83 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_3
	File: /server_access_capita.tf:85-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_3" {
		86 |   security_group_id = aws_security_group.capita.id
		87 | 
		88 |   cidr_ipv4   = "85.115.52.0/24"
		89 |   ip_protocol = "tcp"
		90 |   from_port   = 2222
		91 |   to_port     = 2222
		92 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_4
	File: /server_access_capita.tf:94-101
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		94  | resource "aws_vpc_security_group_ingress_rule" "capita_ip_4" {
		95  |   security_group_id = aws_security_group.capita.id
		96  | 
		97  |   cidr_ipv4   = "85.115.53.0/24"
		98  |   ip_protocol = "tcp"
		99  |   from_port   = 2222
		100 |   to_port     = 2222
		101 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_5
	File: /server_access_capita.tf:103-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_5" {
		104 |   security_group_id = aws_security_group.capita.id
		105 | 
		106 |   cidr_ipv4   = "85.115.54.0/24"
		107 |   ip_protocol = "tcp"
		108 |   from_port   = 2222
		109 |   to_port     = 2222
		110 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_fynhy_ip
	File: /server_access_test.tf:91-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		91  | resource "aws_vpc_security_group_ingress_rule" "test_fynhy_ip" {
		92  |   security_group_id = aws_security_group.test.id
		93  | 
		94  |   ip_protocol = "tcp"
		95  |   from_port   = 2222
		96  |   to_port     = 2222
		97  | 
		98  |   for_each  = { for cidr_ipv4 in local.cidr_ipv4s : cidr_ipv4 => cidr_ipv4 }
		99  |   cidr_ipv4 = each.key
		100 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/s3.tf line 207:
 207: resource "random_string" "g4s" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:136-144
────────────────────────────────────────────────────────────────────────────────
136 resource "aws_s3_bucket_server_side_encryption_configuration" "civica_landing_bucket" {
137 bucket = aws_s3_bucket.civica_landing_bucket.id
138
139 rule {
140 apply_server_side_encryption_by_default {
141 sse_algorithm = "AES256"
142 }
143 }
144 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:219-227
────────────────────────────────────────────────────────────────────────────────
219 resource "aws_s3_bucket_server_side_encryption_configuration" "g4s_landing_bucket" {
220 bucket = aws_s3_bucket.g4s_landing_bucket.id
221
222 rule {
223 apply_server_side_encryption_by_default {
224 sse_algorithm = "AES256"
225 }
226 }
227 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:291-299
────────────────────────────────────────────────────────────────────────────────
291 resource "aws_s3_bucket_server_side_encryption_configuration" "data_store_bucket" {
292 bucket = aws_s3_bucket.data_store_bucket.id
293
294 rule {
295 apply_server_side_encryption_by_default {
296 sse_algorithm = "AES256"
297 }
298 }
299 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:52-60
────────────────────────────────────────────────────────────────────────────────
52 resource "aws_s3_bucket_server_side_encryption_configuration" "capita_landing_bucket" {
53 bucket = aws_s3_bucket.capita_landing_bucket.id
54
55 rule {
56 apply_server_side_encryption_by_default {
57 sse_algorithm = "AES256"
58 }
59 }
60 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #5 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:100
────────────────────────────────────────────────────────────────────────────────
97 resource "aws_s3_bucket_versioning" "capita_landing_bucket" {
98 bucket = aws_s3_bucket.capita_landing_bucket.id
99 versioning_configuration {
100 [ status = "Disabled"
101 }
102 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:183
────────────────────────────────────────────────────────────────────────────────
180 resource "aws_s3_bucket_versioning" "civica_landing_bucket" {
181 bucket = aws_s3_bucket.civica_landing_bucket.id
182 versioning_configuration {
183 [ status = "Disabled"
184 }
185 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #7 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:266
────────────────────────────────────────────────────────────────────────────────
263 resource "aws_s3_bucket_versioning" "g4s_landing_bucket" {
264 bucket = aws_s3_bucket.g4s_landing_bucket.id
265 versioning_configuration {
266 [ status = "Disabled"
267 }
268 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #8 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:287-289
────────────────────────────────────────────────────────────────────────────────
287 resource "aws_s3_bucket" "data_store_bucket" {
288 bucket_prefix = "em-data-store-"
289 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #9 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #10 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_capita.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "capita" {
58 name_prefix = "transfer_capita_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #11 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_civica.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "civica" {
58 name_prefix = "transfer_civica_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #12 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_g4s.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "g4s" {
58 name_prefix = "transfer_g4s_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 406.264µs
parsing 11.329727ms
adaptation 1.119259ms
checks 9.943161ms
total 22.798411ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 127
files read 18

results
──────────────────────────────────────────
passed 104
ignored 0
critical 0
high 4
medium 5
low 3

104 passed, 12 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 261, Failed checks: 35, Skipped checks: 0

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_fynhy_ip
	File: /server_access_test.tf:92-101
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		92  | resource "aws_vpc_security_group_ingress_rule" "test_fynhy_ip" {
		93  |   security_group_id = aws_security_group.test.id
		94  | 
		95  |   ip_protocol = "tcp"
		96  |   from_port   = 2222
		97  |   to_port     = 2222
		98  | 
		99  |   for_each  = { for cidr_ipv4 in local.test_cidr_ipv4s : cidr_ipv4 => cidr_ipv4 }
		100 |   cidr_ipv4 = each.key
		101 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:48-50

		48 | resource "aws_s3_bucket" "capita_landing_bucket" {
		49 |   bucket = "capita-${random_string.capita.result}"
		50 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:132-134

		132 | resource "aws_s3_bucket" "civica_landing_bucket" {
		133 |   bucket = "civica-${random_string.civica.result}"
		134 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:215-217

		215 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		216 |   bucket = "g4s-${random_string.g4s.result}"
		217 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:287-289

		287 | resource "aws_s3_bucket" "data_store_bucket" {
		288 |   bucket_prefix = "em-data-store-"
		289 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/s3.tf line 207:
 207: resource "random_string" "g4s" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[pricemg]

completed in https://github.com/ministryofjustice/modernisation-platform-environments/actions/runs/7729342783/job/21072891077