JML- added-actions-to-poicy-statements

[murad-ali-MoJ]

Added start, stop and getquereyexection

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

---

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Instance is exposed publicly.
────────────────────────────────────────────────────────────────────────────────
database.tf:19
────────────────────────────────────────────────────────────────────────────────
5 resource "aws_db_instance" "database" {
.
19 [ publicly_accessible = true (true)
20 }
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-no-public-db-access
Impact The database instance is publicly accessible
Resolution Set the database to not be publicly accessible

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
  ────────────────────────────────────────────────────────────────────────────────

Result #2 CRITICAL Security group rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
database.tf:47
────────────────────────────────────────────────────────────────────────────────
39 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
55 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
  ────────────────────────────────────────────────────────────────────────────────

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
database.tf:53
────────────────────────────────────────────────────────────────────────────────
39 resource "aws_security_group" "db" {
..
53 [ cidr_blocks = ["0.0.0.0/0"]
..
55 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #4 CRITICAL Security group rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:239
────────────────────────────────────────────────────────────────────────────────
229 resource "aws_security_group" "cluster_ec2" {
...
239 [ cidr_blocks = ["0.0.0.0/0"]
...
266 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
  ────────────────────────────────────────────────────────────────────────────────

Result #5 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:256
────────────────────────────────────────────────────────────────────────────────
229 resource "aws_security_group" "cluster_ec2" {
...
256 [ cidr_blocks = ["0.0.0.0/0"]
...
266 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #6 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:473
────────────────────────────────────────────────────────────────────────────────
457 resource "aws_security_group" "ecs_service" {
...
473 [ cidr_blocks = ["0.0.0.0/0"]
...
475 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #7 CRITICAL Security group rule allows ingress from public internet.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "chaps_lb_sc" {
.
11 [ cidr_blocks = ["0.0.0.0/0"]
..
21 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-ingress-sgr
Impact Your port exposed to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
  ────────────────────────────────────────────────────────────────────────────────

Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_security_group" "chaps_lb_sc" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
21 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  ────────────────────────────────────────────────────────────────────────────────

Result #9 HIGH Instance has Public Access enabled
────────────────────────────────────────────────────────────────────────────────
database.tf:19
────────────────────────────────────────────────────────────────────────────────
19 publicly_accessible = true
────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0180
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #10 HIGH Instance does not have storage encryption enabled.
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-encrypt-instance-storage-data
Impact Data can be read from RDS instances if compromised
Resolution Enable encryption for RDS instances

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
  ────────────────────────────────────────────────────────────────────────────────

Result #11 HIGH Launch template does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
ecs.tf:285
────────────────────────────────────────────────────────────────────────────────
272 resource "aws_launch_template" "ec2-launch-template" {
...
285 [ http_tokens = "optional" ("optional")
...
327 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-launch-config-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-launch-config-http-token-imds/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
  ────────────────────────────────────────────────────────────────────────────────

Result #12 HIGH IAM policy document uses wildcarded action 'ecr:'
────────────────────────────────────────────────────────────────────────────────
ecs.tf:390-397
────────────────────────────────────────────────────────────────────────────────
381 resource "aws_iam_role_policy" "app_execution" {
...
390 ┌ "Action": [
391 │ "ecr:",
392 │ "logs:CreateLogGroup",
393 │ "logs:CreateLogStream",
394 │ "logs:PutLogEvents",
395 │ "logs:DescribeLogStreams",
396 └ "secretsmanager:GetSecretValue"
...
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #13 HIGH IAM policy document uses sensitive action 'ecr:' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
ecs.tf:398
────────────────────────────────────────────────────────────────────────────────
381 resource "aws_iam_role_policy" "app_execution" {
...
398 [ "Resource": "*",
...
404 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #14-16 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
ecs.tf:443-449
────────────────────────────────────────────────────────────────────────────────
433 resource "aws_iam_role_policy" "app_task" {
...
443 ┌ "Action": [
444 │ "logs:CreateLogStream",
445 │ "logs:PutLogEvents",
446 │ "ecr:",
447 │ "iam:",
448 │ "ec2:*"
449 └ ],
...
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• ecs.tf:433-455 (aws_iam_role_policy.app_task) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #17 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
ecs.tf:450
────────────────────────────────────────────────────────────────────────────────
433 resource "aws_iam_role_policy" "app_task" {
...
450 [ "Resource": ""
...
455 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #18 HIGH Application load balancer is not set to drop invalid headers.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:23-28
────────────────────────────────────────────────────────────────────────────────
23 resource "aws_lb" "chaps_lb" {
24 name = "chaps-load-balancer"
25 load_balancer_type = "application"
26 security_groups = [aws_security_group.chaps_lb_sc.id]
27 subnets = data.aws_subnets.shared-public.ids
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-elb-drop-invalid-headers
Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
Resolution Set drop_invalid_header_fields to true

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
  ────────────────────────────────────────────────────────────────────────────────

Result #19 HIGH Load balancer is exposed publicly.
────────────────────────────────────────────────────────────────────────────────
loadbalancer.tf:23-28
────────────────────────────────────────────────────────────────────────────────
23 resource "aws_lb" "chaps_lb" {
24 name = "chaps-load-balancer"
25 load_balancer_type = "application"
26 security_groups = [aws_security_group.chaps_lb_sc.id]
27 subnets = data.aws_subnets.shared-public.ids
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-elb-alb-not-public
Impact The load balancer is exposed on the internet
Resolution Switch to an internal load balancer or add a tfsec ignore

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
  ────────────────────────────────────────────────────────────────────────────────

Result #20 HIGH No public access block so not blocking public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable blocking any PUT calls with a public ACL specified

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #21 HIGH No public access block so not blocking public policies
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-block-public-policy
Impact Users could put a policy that allows public access
Resolution Prevent policies that allow public access being PUT

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/block-public-policy/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy
  ────────────────────────────────────────────────────────────────────────────────

Result #22 HIGH Bucket does not have encryption enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-encryption
Impact The bucket objects could be read if compromised
Resolution Configure bucket encryption

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #23 HIGH No public access block so not ignoring public acls
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-ignore-public-acls
Impact PUT calls with public ACLs specified can make objects public
Resolution Enable ignoring the application of public ACLs in PUT calls

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/ignore-public-acls/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls
  ────────────────────────────────────────────────────────────────────────────────

Result #24 HIGH No public access block so not restricting public buckets
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-no-public-buckets
Impact Public buckets can be accessed by anyone
Resolution Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-buckets/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡
  ────────────────────────────────────────────────────────────────────────────────

Result #25 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #26 MEDIUM Instance has very low backup retention period.
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-specify-backup-retention
Impact Potential loss of data and short opportunity for recovery
Resolution Explicitly set the retention period to greater than the default

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
  ────────────────────────────────────────────────────────────────────────────────

Result #27 MEDIUM Instance does not have Deletion Protection enabled
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0177
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #28 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #29 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #30 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
database.tf:43-48
────────────────────────────────────────────────────────────────────────────────
39 resource "aws_security_group" "db" {
..
43 ┌ ingress {
44 │ from_port = 1433
45 │ to_port = 1433
46 │ protocol = "tcp"
47 │ cidr_blocks = ["0.0.0.0/0"]
48 └ }
..
55 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #31 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
database.tf:49-54
────────────────────────────────────────────────────────────────────────────────
39 resource "aws_security_group" "db" {
..
49 ┌ egress {
50 │ from_port = 0
51 │ to_port = 0
52 │ protocol = "-1"
53 │ cidr_blocks = ["0.0.0.0/0"]
54 └ }
55 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #32 LOW Instance does not have performance insights enabled.
────────────────────────────────────────────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────────────────────────────────────────────
ID aws-rds-enable-performance-insights
Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
Resolution Enable performance insights

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #33 LOW Security group explicitly uses the default description.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:457-475
────────────────────────────────────────────────────────────────────────────────
457 ┌ resource "aws_security_group" "ecs_service" {
458 │ name_prefix = "ecs-service-sg-"
459 │ vpc_id = data.aws_vpc.shared.id
460 │
461 │ ingress {
462 │ from_port = 80
463 │ to_port = 80
464 │ protocol = "tcp"
465 └ description = "Allow traffic on port 80 from load balancer"
...
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #34 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:469-474
────────────────────────────────────────────────────────────────────────────────
457 resource "aws_security_group" "ecs_service" {
...
469 ┌ egress {
470 │ from_port = 0
471 │ to_port = 0
472 │ protocol = "-1"
473 │ cidr_blocks = ["0.0.0.0/0"]
474 └ }
475 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
  ────────────────────────────────────────────────────────────────────────────────

Result #35 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:520-523
────────────────────────────────────────────────────────────────────────────────
520 resource "aws_cloudwatch_log_group" "cloudwatch_group" {
521 name = "${local.application_name}-ecs"
522 retention_in_days = 30
523 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #36 LOW Log group is not encrypted.
────────────────────────────────────────────────────────────────────────────────
ecs.tf:63-66
────────────────────────────────────────────────────────────────────────────────
63 resource "aws_cloudwatch_log_group" "deployment_logs" {
64 name = "/aws/events/deploymentLogs"
65 retention_in_days = "7"
66 }
────────────────────────────────────────────────────────────────────────────────
ID aws-cloudwatch-log-group-customer-key
Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
Resolution Enable CMK encryption of CloudWatch Log Groups

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
  ────────────────────────────────────────────────────────────────────────────────

Result #37 LOW Bucket does not have a corresponding public access block.
────────────────────────────────────────────────────────────────────────────────
s3.tf:1-3
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_s3_bucket" "chaps-db-backup-bucket" {
2 bucket = local.application_data.accounts[local.environment].s3_bucket_name
3 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-specify-public-access-block
Impact Public access policies may be applied to sensitive data buckets
Resolution Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 982.301µs
parsing 2.27557429s
adaptation 1.832711ms
checks 28.465447ms
total 2.306854749s

counts
──────────────────────────────────────────
modules downloaded 2
modules processed 3
blocks processed 193
files read 25

results
──────────────────────────────────────────
passed 53
ignored 81
critical 8
high 17
medium 4
low 8

53 passed, 81 ignored, 37 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
2024-01-31 11:24:42,942 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 118, Failed checks: 50, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name          = "bastion"
		15 |   bucket_versioning    = true
		16 |   bucket_force_destroy = true
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   extra_user_data_content = "yum install -y openldap-clients"
		34 | 
		35 |   # Tags
		36 |   tags_common = local.tags
		37 |   tags_prefix = terraform.workspace
		38 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:72-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		72 | data "aws_iam_policy_document" "rds-kms" {
		73 |   statement {
		74 |     effect    = "Allow"
		75 |     actions   = ["kms:*"]
		76 |     resources = ["*"]
		77 |     principals {
		78 |       type        = "AWS"
		79 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		80 |     }
		81 |   }
		82 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:72-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		72 | data "aws_iam_policy_document" "rds-kms" {
		73 |   statement {
		74 |     effect    = "Allow"
		75 |     actions   = ["kms:*"]
		76 |     resources = ["*"]
		77 |     principals {
		78 |       type        = "AWS"
		79 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		80 |     }
		81 |   }
		82 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:72-82

		72 | data "aws_iam_policy_document" "rds-kms" {
		73 |   statement {
		74 |     effect    = "Allow"
		75 |     actions   = ["kms:*"]
		76 |     resources = ["*"]
		77 |     principals {
		78 |       type        = "AWS"
		79 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		80 |     }
		81 |   }
		82 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:39-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		39 | resource "aws_security_group" "db" {
		40 |   name        = "${local.application_name}-db-sg"
		41 |   description = "Allow DB inbound traffic"
		42 |   vpc_id      = data.aws_vpc.shared.id
		43 |   ingress {
		44 |     from_port   = 1433
		45 |     to_port     = 1433
		46 |     protocol    = "tcp"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 |   egress {
		50 |     from_port   = 0
		51 |     to_port     = 0
		52 |     protocol    = "-1"
		53 |     cidr_blocks = ["0.0.0.0/0"]
		54 |   }
		55 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-47

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogStream",
		30 |                 "logs:PutLogEvents",
		31 |                 "s3:ListBucket",
		32 |                 "s3:*Object*",
		33 |                 "kms:Decrypt",
		34 |                 "kms:Encrypt",
		35 |                 "kms:GenerateDataKey",
		36 |                 "kms:ReEncrypt",
		37 |                 "kms:GenerateDataKey",
		38 |                 "kms:DescribeKey",
		39 |                 "rds:Connect",
		40 |                 "rds:DescribeDBInstances"
		41 |             ],
		42 |             "Resource": "*"
		43 |         }
		44 |     ]
		45 | }
		46 | EOF
		47 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:63-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		63 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		64 |   name              = "/aws/events/deploymentLogs"
		65 |   retention_in_days = "7"
		66 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:68-125

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.cluster_ec2
	File: /ecs.tf:229-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		229 | resource "aws_security_group" "cluster_ec2" {
		230 |   name        = "${local.application_name}-cluster-ec2-security-group"
		231 |   description = "controls access to the cluster ec2 instance"
		232 |   vpc_id      = data.aws_vpc.shared.id
		233 | 
		234 |   ingress {
		235 |     description     = "allow access on HTTP from load balancer"
		236 |     from_port       = 80
		237 |     to_port         = 80
		238 |     protocol        = "tcp"
		239 |     cidr_blocks     = ["0.0.0.0/0"]
		240 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		241 |   }
		242 | 
		243 |   ingress {
		244 |     description     = "Allow RDP ingress"
		245 |     from_port       = 3389
		246 |     to_port         = 3389
		247 |     protocol        = "tcp"
		248 |     security_groups = [module.bastion_linux.bastion_security_group]
		249 |   }
		250 | 
		251 |   egress {
		252 |     description     = "Cluster EC2 loadbalancer egress rule"
		253 |     from_port       = 0
		254 |     to_port         = 0
		255 |     protocol        = "-1"
		256 |     cidr_blocks     = ["0.0.0.0/0"]
		257 |     security_groups = []
		258 |   }
		259 | 
		260 |   tags = merge(
		261 |     local.tags,
		262 |     {
		263 |       Name = "${local.application_name}-cluster-ec2-security-group"
		264 |     }
		265 |   )
		266 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_launch_template.ec2-launch-template
	File: /ecs.tf:272-327
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:381-404

		381 | resource "aws_iam_role_policy" "app_execution" {
		382 |   name = "execution-${var.networking[0].application}"
		383 |   role = aws_iam_role.app_execution.id
		384 | 
		385 |   policy = <<-EOF
		386 |   {
		387 |     "Version": "2012-10-17",
		388 |     "Statement": [
		389 |       {
		390 |            "Action": [
		391 |               "ecr:*",
		392 |               "logs:CreateLogGroup",
		393 |               "logs:CreateLogStream",
		394 |               "logs:PutLogEvents",
		395 |               "logs:DescribeLogStreams",
		396 |               "secretsmanager:GetSecretValue"
		397 |            ],
		398 |            "Resource": "*",
		399 |            "Effect": "Allow"
		400 |       }
		401 |     ]
		402 |   }
		403 |   EOF
		404 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:457-475
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		457 | resource "aws_security_group" "ecs_service" {
		458 |   name_prefix = "ecs-service-sg-"
		459 |   vpc_id      = data.aws_vpc.shared.id
		460 | 
		461 |   ingress {
		462 |     from_port       = 80
		463 |     to_port         = 80
		464 |     protocol        = "tcp"
		465 |     description     = "Allow traffic on port 80 from load balancer"
		466 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		467 |   }
		468 | 
		469 |   egress {
		470 |     from_port   = 0
		471 |     to_port     = 0
		472 |     protocol    = "-1"
		473 |     cidr_blocks = ["0.0.0.0/0"]
		474 |   }
		475 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:520-523
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		520 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		521 |   name              = "${local.application_name}-ecs"
		522 |   retention_in_days = 30
		523 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:520-523

		520 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		521 |   name              = "${local.application_name}-ecs"
		522 |   retention_in_days = 30
		523 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:30-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		30 | resource "aws_lb_target_group" "chaps_target_group" {
		31 |   name                 = "chaps-target-group"
		32 |   port                 = 80
		33 |   protocol             = "HTTP"
		34 |   vpc_id               = data.aws_vpc.shared.id
		35 |   target_type          = "ip"
		36 |   deregistration_delay = 30
		37 | 
		38 |   stickiness {
		39 |     type = "lb_cookie"
		40 |   }
		41 | 
		42 |   health_check {
		43 |     healthy_threshold   = "2"
		44 |     interval            = "30"
		45 |     unhealthy_threshold = "5"
		46 |     matcher             = "200-499"
		47 |     timeout             = "10"
		48 |   }
		49 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = true
		20 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:23-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		23 | resource "aws_lb" "chaps_lb" {
		24 |   name               = "chaps-load-balancer"
		25 |   load_balancer_type = "application"
		26 |   security_groups    = [aws_security_group.chaps_lb_sc.id]
		27 |   subnets            = data.aws_subnets.shared-public.ids
		28 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:3-5

		3 | resource "aws_secretsmanager_secret" "db_password" {
		4 |   name = "database_password"
		5 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.chaps-db-backup-bucket
	File: /s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "chaps-db-backup-bucket" {
		2 |   bucket = local.application_data.accounts[local.environment].s3_bucket_name
		3 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:433-455

		433 | resource "aws_iam_role_policy" "app_task" {
		434 |   name = "task-${var.networking[0].application}"
		435 |   role = aws_iam_role.app_task.id
		436 | 
		437 |   policy = <<-EOF
		438 |   {
		439 |    "Version": "2012-10-17",
		440 |    "Statement": [
		441 |      {
		442 |        "Effect": "Allow",
		443 |         "Action": [
		444 |           "logs:CreateLogStream",
		445 |           "logs:PutLogEvents",
		446 |           "ecr:*",
		447 |           "iam:*",
		448 |           "ec2:*"
		449 |         ],
		450 |        "Resource": "*"
		451 |      }
		452 |    ]
		453 |   }
		454 |   EOF
		455 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 98:
  98:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 102:
 102:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 106:
 106:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 110:
 110:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 114:
 114:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-chaps/ecs.tf line 168:
 168:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-chaps/secrets.tf line 7:
   7: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[jhpyke]

Hopefully the correct policy boundary