Dsos 2552 create ebs volume dashboard nomis #4738

shajida95 · 2024-01-29T22:22:03Z

Using the AWSSupport-CalculateEBSPerformanceMetrics automation runbook, separate dashboards are created for EBS volumes to visualise:

Volume Disk IOPs
Volume Disk Throughput

IAM role EBSPerformanceMonitoringRole is used to create the EBS cloudwatch dashboards.

modernisation-platform-ci · 2024-01-29T22:23:41Z

@shajida95 Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

modernisation-platform-ci · 2024-01-29T22:23:43Z

@shajida95 Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

modernisation-platform-ci · 2024-01-29T22:24:01Z

@shajida95 Terraform plan evalaution detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform

github-actions · 2024-01-29T22:24:04Z

`TFSEC Scan` Failed

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────

Result #6 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #7 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #8 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────

Result #9 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #10 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #11 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────

Result #12 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #13 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #14 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────

Result #15 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #16 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #17 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────

Result #18 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #19 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #20 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────

Result #21 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #22 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #23 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────

Result #24 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #25 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #26 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
────────────────────────────────────────────────────────────────────────────────

Result #27 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #28 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
────────────────────────────────────────────────────────────────────────────────

Result #29 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
────────────────────────────────────────────────────────────────────────────────

Result #30 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
────────────────────────────────────────────────────────────────────────────────

Result #31 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:128
────────────────────────────────────────────────────────────────────────────────
125 resource "aws_s3_bucket_versioning" "civica" {
126 bucket = aws_s3_bucket.civica_landing_bucket.id
127 versioning_configuration {
128 [ status = "Disabled"
129 }
130 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────

Result #32 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:193
────────────────────────────────────────────────────────────────────────────────
190 resource "aws_s3_bucket_versioning" "g4s" {
191 bucket = aws_s3_bucket.g4s_landing_bucket.id
192 versioning_configuration {
193 [ status = "Disabled"
194 }
195 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────

Result #33 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────

Result #34 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────

Result #35 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────

Result #36 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:63
────────────────────────────────────────────────────────────────────────────────
60 resource "aws_s3_bucket_versioning" "capita" {
61 bucket = aws_s3_bucket.capita_landing_bucket.id
62 versioning_configuration {
63 [ status = "Disabled"
64 }
65 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────

Result #37 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:160-162
────────────────────────────────────────────────────────────────────────────────
160 resource "aws_s3_bucket" "g4s_landing_bucket" {
161 bucket = "g4s-${random_string.g4s.result}"
162 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────

Result #38 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:214-216
────────────────────────────────────────────────────────────────────────────────
214 resource "aws_s3_bucket" "data_store_bucket" {
215 bucket_prefix = "em-data-store-"
216 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────

Result #39 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:30-32
────────────────────────────────────────────────────────────────────────────────
30 resource "aws_s3_bucket" "capita_landing_bucket" {
31 bucket = "capita-${random_string.capita.result}"
32 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────

Result #40 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:5-8
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_s3_bucket" "log_bucket" {
6 bucket_prefix = "em-data-store-logs-"
7 force_destroy = true
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────

Result #41 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:95-97
────────────────────────────────────────────────────────────────────────────────
95 resource "aws_s3_bucket" "civica_landing_bucket" {
96 bucket = "civica-${random_string.civica.result}"
97 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
────────────────────────────────────────────────────────────────────────────────

Result #42 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_capita.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "capita" {
58 name_prefix = "transfer_capita_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────

Result #43 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_civica.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "civica" {
58 name_prefix = "transfer_civica_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────

Result #44 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
transfer_server_g4s.tf:57-59
────────────────────────────────────────────────────────────────────────────────
57 resource "aws_cloudwatch_log_group" "g4s" {
58 name_prefix = "transfer_g4s_"
59 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 341.411µs
parsing 8.055845ms
adaptation 982.309µs
checks 3.543303ms
total 12.922868ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 117
files read 18

results
──────────────────────────────────────────
passed 77
ignored 0
critical 0
high 30
medium 6
low 8

77 passed, 44 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 271, Failed checks: 46, Skipped checks: 0

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_1
	File: /server_access_capita.tf:67-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		67 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_1" {
		68 |   security_group_id = aws_security_group.capita.id
		69 | 
		70 |   cidr_ipv4   = "82.203.33.112/28"
		71 |   ip_protocol = "tcp"
		72 |   from_port   = 2222
		73 |   to_port     = 2222
		74 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_2
	File: /server_access_capita.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		76 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_2" {
		77 |   security_group_id = aws_security_group.capita.id
		78 | 
		79 |   cidr_ipv4   = "82.203.33.128/28"
		80 |   ip_protocol = "tcp"
		81 |   from_port   = 2222
		82 |   to_port     = 2222
		83 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_3
	File: /server_access_capita.tf:85-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_3" {
		86 |   security_group_id = aws_security_group.capita.id
		87 | 
		88 |   cidr_ipv4   = "85.115.52.0/24"
		89 |   ip_protocol = "tcp"
		90 |   from_port   = 2222
		91 |   to_port     = 2222
		92 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_4
	File: /server_access_capita.tf:94-101
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		94  | resource "aws_vpc_security_group_ingress_rule" "capita_ip_4" {
		95  |   security_group_id = aws_security_group.capita.id
		96  | 
		97  |   cidr_ipv4   = "85.115.53.0/24"
		98  |   ip_protocol = "tcp"
		99  |   from_port   = 2222
		100 |   to_port     = 2222
		101 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.capita_ip_5
	File: /server_access_capita.tf:103-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_ingress_rule" "capita_ip_5" {
		104 |   security_group_id = aws_security_group.capita.id
		105 | 
		106 |   cidr_ipv4   = "85.115.54.0/24"
		107 |   ip_protocol = "tcp"
		108 |   from_port   = 2222
		109 |   to_port     = 2222
		110 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_fynhy_ip
	File: /server_access_test.tf:31-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		31 | resource "aws_vpc_security_group_ingress_rule" "test_fynhy_ip" {
		32 |   security_group_id = aws_security_group.test.id
		33 | 
		34 |   cidr_ipv4   = "46.69.144.146/32"
		35 |   ip_protocol = "tcp"
		36 |   from_port   = 2222
		37 |   to_port     = 2222
		38 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.test_petty_france_ip
	File: /server_access_test.tf:40-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		40 | resource "aws_vpc_security_group_ingress_rule" "test_petty_france_ip" {
		41 |   security_group_id = aws_security_group.test.id
		42 | 
		43 |   cidr_ipv4   = "81.134.202.29/32"
		44 |   ip_protocol = "tcp"
		45 |   from_port   = 2222
		46 |   to_port     = 2222
		47 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.capita
	File: /transfer_server_capita.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "capita" {
		58 |   name_prefix = "transfer_capita_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.civica
	File: /transfer_server_civica.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "civica" {
		58 |   name_prefix = "transfer_civica_"
		59 | }

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-13

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.g4s
	File: /transfer_server_g4s.tf:57-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		57 | resource "aws_cloudwatch_log_group" "g4s" {
		58 |   name_prefix = "transfer_g4s_"
		59 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.log_bucket
	File: /s3.tf:5-8

		5 | resource "aws_s3_bucket" "log_bucket" {
		6 |   bucket_prefix = "em-data-store-logs-"
		7 |   force_destroy = true
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.capita_landing_bucket
	File: /s3.tf:30-32

		30 | resource "aws_s3_bucket" "capita_landing_bucket" {
		31 |   bucket = "capita-${random_string.capita.result}"
		32 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.civica_landing_bucket
	File: /s3.tf:95-97

		95 | resource "aws_s3_bucket" "civica_landing_bucket" {
		96 |   bucket = "civica-${random_string.civica.result}"
		97 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.g4s_landing_bucket
	File: /s3.tf:160-162

		160 | resource "aws_s3_bucket" "g4s_landing_bucket" {
		161 |   bucket = "g4s-${random_string.g4s.result}"
		162 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store_bucket
	File: /s3.tf:214-216

		214 | resource "aws_s3_bucket" "data_store_bucket" {
		215 |   bucket_prefix = "em-data-store-"
		216 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/s3.tf line 152:
 152: resource "random_string" "g4s" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan`

Show Output

github-actions · 2024-03-01T01:37:32Z

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions · 2024-03-12T01:33:27Z

This PR was closed because it has been stalled for 40 days with no activity.

Shajida Akthar added 17 commits January 26, 2024 12:28

Run SSM doc for AWSSupport-CalculateEBSPerformanceMetrics

25439e4

Run SSM doc for AWSSupport-CalculateEBSPerformanceMetrics

0c57316

Updated EBS performance stats timestamps

a1141fd

AWS SSM association for calculating EBS performance

b937961

AWS SSM association for calculating EBS performance

693f040

Assume AWS SSM role for executing ssm doc

44e38a5

Assume AWS SSM role for executing ssm doc

07409f7

Merge branch 'main' into dsos-2552-create-ebs-volume-dashboard-nomis

e03622e

Assume AWS SSM role for executing ssm doc

6c18e21

Assume AWS SSM role for executing ssm doc

a250abc

Update target key

4a61fed

Update target key

1bb9425

Create IAM role for EBS Performance metrics dashboard

3f06888

Add EBS Performance Monitoring IAM role

81cbd79

Update SSM assoc with new IAM role

7dc1589

Remove accidental paste

073da97

Grant Cloudwatch full access to create EBS performance dashboardd

3fdca33

shajida95 requested review from a team as code owners January 29, 2024 22:22

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 29, 2024

shajida95 had a problem deploying to nomis-test January 29, 2024 22:24 — with GitHub Actions Failure

jnqn approved these changes Jan 30, 2024

View reviewed changes

github-actions bot added the Stale label Mar 1, 2024

github-actions bot closed this Mar 12, 2024

github-actions bot deleted the dsos-2552-create-ebs-volume-dashboard-nomis branch March 12, 2024 01:33

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dsos 2552 create ebs volume dashboard nomis #4738

Dsos 2552 create ebs volume dashboard nomis #4738

shajida95 commented Jan 29, 2024

modernisation-platform-ci commented Jan 29, 2024

modernisation-platform-ci commented Jan 29, 2024

modernisation-platform-ci commented Jan 29, 2024

github-actions bot commented Jan 29, 2024

You can read more here:
aquasecurity/tfsec#1994

github-actions bot commented Mar 1, 2024

github-actions bot commented Mar 12, 2024

Dsos 2552 create ebs volume dashboard nomis #4738

Dsos 2552 create ebs volume dashboard nomis #4738

Conversation

shajida95 commented Jan 29, 2024

modernisation-platform-ci commented Jan 29, 2024

modernisation-platform-ci commented Jan 29, 2024

modernisation-platform-ci commented Jan 29, 2024

github-actions bot commented Jan 29, 2024

TFSEC Scan Failed

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Failed

Trivy Scan

github-actions bot commented Mar 1, 2024

github-actions bot commented Mar 12, 2024

`TFSEC Scan` Failed

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Failed

`Trivy Scan`