NIT-1038 + NIT-1041 example SG allowing connectivity with legacy

[pete-j-g]

No description provided.

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user terraform/environments/electronic-monitoring-data/modules/landing_zone terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group terraform/environments/electronic-monitoring-data/modules/landing_zone

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Results #1-6 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'ae06699d-157b-47ee-b5c2-5265efc8e972/' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/landing_zone_user/main.tf:57
via modules/landing_zone/main.tf:349-359 (module.landing_zone_users["0"])
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
46 data "aws_iam_policy_document" "this_transfer_user" {
..
57 [ resources = ["${var.landing_bucket.arn}/"]
..
59 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/landing_zone_user/main.tf:1-17 (module.capita) 6 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #7-9 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource 'ae06699d-157b-47ee-b5c2-5265efc8e972/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:291
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
291 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #10-12 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '3ea70b0c-6323-4b21-bdff-317b42ba8911/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:300
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
300 [ resources = ["${var.data_store_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #13-18 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource '3ea70b0c-6323-4b21-bdff-317b42ba8911/' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:320-323
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
320 ┌ resources = [
321 │ "${var.data_store_bucket.arn}/",
322 │ "${aws_s3_bucket.landing_bucket.arn}/*",
323 └ ]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 6 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #19-21 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource 'ae06699d-157b-47ee-b5c2-5265efc8e972/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:333
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
333 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #22-24 HIGH Bucket does not encrypt data with a customer managed key. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:37-45
via main.tf:19-35 (module.civica)
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:19-35 (module.civica)
• modules/landing_zone/main.tf:37-53 (module.g4s)
• modules/landing_zone/main.tf:1-17 (module.capita)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #25-28 HIGH Bucket does not encrypt data with a customer managed key. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:10-18
via s3.tf:5-10 (module.data_store_log_bucket)
────────────────────────────────────────────────────────────────────────────────
10 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
11 bucket = aws_s3_bucket.this.id
12
13 rule {
14 apply_server_side_encryption_by_default {
15 sse_algorithm = "AES256"
16 }
17 }
18 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
• modules/s3_log_bucket/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #29 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:20-28
────────────────────────────────────────────────────────────────────────────────
20 resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
21 bucket = aws_s3_bucket.data_store.id
22
23 rule {
24 apply_server_side_encryption_by_default {
25 sse_algorithm = "AES256"
26 }
27 }
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #30-32 MEDIUM Key does not have rotation enabled. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:119-127
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_kms_key" "this" {
120 description = "${var.supplier} server cloudwatch log encryption key"
121 key_usage = "ENCRYPT_DECRYPT"
122 deletion_window_in_days = 30
123
124 tags = {
125 supplier = var.supplier
126 }
127 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita)
• modules/landing_zone/main.tf:37-53 (module.g4s)
• modules/landing_zone/main.tf:19-35 (module.civica)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-kms-auto-rotate-keys
  Impact Long life KMS keys increase the attack surface when compromised
  Resolution Configure KMS key to auto rotate

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/kms/auto-rotate-keys/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation
  ────────────────────────────────────────────────────────────────────────────────

Results #33-35 MEDIUM Bucket does not have versioning enabled (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:84
via main.tf:37-53 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:37-53 (module.g4s)
• modules/landing_zone/main.tf:19-35 (module.civica)
• modules/landing_zone/main.tf:1-17 (module.capita)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-versioning
  Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Results #36-39 MEDIUM Bucket does not have logging enabled (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:2-8
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:1-17 (module.capita)
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
• modules/s3_log_bucket/main.tf:37-53 (module.g4s)
• modules/s3_log_bucket/main.tf:19-35 (module.civica)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-bucket-logging
  Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Results #40-43 MEDIUM Bucket does not have versioning enabled (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:2-8
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:37-53 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:37-53 (module.g4s)
• modules/s3_log_bucket/main.tf:19-35 (module.civica)
• modules/s3_log_bucket/main.tf:1-17 (module.capita)
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-versioning
  Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 1.093008ms
parsing 107.30803ms
adaptation 7.875775ms
checks 11.98821ms
total 128.265023ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 20
blocks processed 295
files read 60

results
──────────────────────────────────────────
passed 121
ignored 0
critical 0
high 29
medium 14
low 0

121 passed, 43 potential problem(s) detected.

tfsec_exitcode=1

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 36.227µs
parsing 547.007µs
adaptation 127.525µs
checks 10.268472ms
total 10.979231ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 11
files read 2

results
──────────────────────────────────────────
passed 4
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=1

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource 'd0d9cd51-25d0-4283-a1a3-68a861a53701/'
────────────────────────────────────────────────────────────────────────────────
main.tf:291
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
291 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
main.tf:320-323
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
320 ┌ resources = [
321 │ "${var.data_store_bucket.arn}/",
322 │ "${aws_s3_bucket.landing_bucket.arn}/",
323 └ ]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource 'd0d9cd51-25d0-4283-a1a3-68a861a53701/'
────────────────────────────────────────────────────────────────────────────────
main.tf:333
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
333 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
main.tf:37-45
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:10-18
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
10 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
11 bucket = aws_s3_bucket.this.id
12
13 rule {
14 apply_server_side_encryption_by_default {
15 sse_algorithm = "AES256"
16 }
17 }
18 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Key does not have rotation enabled.
────────────────────────────────────────────────────────────────────────────────
main.tf:119-127
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_kms_key" "this" {
120 description = "${var.supplier} server cloudwatch log encryption key"
121 key_usage = "ENCRYPT_DECRYPT"
122 deletion_window_in_days = 30
123
124 tags = {
125 supplier = var.supplier
126 }
127 }
────────────────────────────────────────────────────────────────────────────────
ID aws-kms-auto-rotate-keys
Impact Long life KMS keys increase the attack surface when compromised
Resolution Configure KMS key to auto rotate

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/kms/auto-rotate-keys/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation
  ────────────────────────────────────────────────────────────────────────────────

Result #7 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
main.tf:84
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #8 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #9 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 87.833µs
parsing 3.134184ms
adaptation 381.777µs
checks 9.449177ms
total 13.052971ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 38
files read 5

results
──────────────────────────────────────────
passed 29
ignored 0
critical 0
high 5
medium 4
low 0

29 passed, 9 potential problem(s) detected.

tfsec_exitcode=2

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 44.692µs
parsing 408.758µs
adaptation 86.15µs
checks 5.585351ms
total 6.124951ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 9
files read 3

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=2

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource '627a0de2-78a3-42fd-9289-f3aa2a2a2167/'
────────────────────────────────────────────────────────────────────────────────
main.tf:291
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
291 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
main.tf:320-323
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
320 ┌ resources = [
321 │ "${var.data_store_bucket.arn}/",
322 │ "${aws_s3_bucket.landing_bucket.arn}/",
323 └ ]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource '627a0de2-78a3-42fd-9289-f3aa2a2a2167/'
────────────────────────────────────────────────────────────────────────────────
main.tf:333
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
333 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
main.tf:37-45
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:10-18
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
10 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
11 bucket = aws_s3_bucket.this.id
12
13 rule {
14 apply_server_side_encryption_by_default {
15 sse_algorithm = "AES256"
16 }
17 }
18 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Key does not have rotation enabled.
────────────────────────────────────────────────────────────────────────────────
main.tf:119-127
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_kms_key" "this" {
120 description = "${var.supplier} server cloudwatch log encryption key"
121 key_usage = "ENCRYPT_DECRYPT"
122 deletion_window_in_days = 30
123
124 tags = {
125 supplier = var.supplier
126 }
127 }
────────────────────────────────────────────────────────────────────────────────
ID aws-kms-auto-rotate-keys
Impact Long life KMS keys increase the attack surface when compromised
Resolution Configure KMS key to auto rotate

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/kms/auto-rotate-keys/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation
  ────────────────────────────────────────────────────────────────────────────────

Result #7 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
main.tf:84
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #8 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #9 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 85.299µs
parsing 3.01287ms
adaptation 413.496µs
checks 5.08713ms
total 8.598795ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 38
files read 5

results
──────────────────────────────────────────
passed 29
ignored 0
critical 0
high 5
medium 4
low 0

29 passed, 9 potential problem(s) detected.

tfsec_exitcode=3

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user terraform/environments/electronic-monitoring-data/modules/landing_zone terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group terraform/environments/electronic-monitoring-data/modules/landing_zone

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 430, Failed checks: 47, Skipped checks: 0

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: module.capita.aws_kms_key.this
	File: /modules/landing_zone/main.tf:119-127
	Calling File: /main.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: module.civica.aws_kms_key.this
	File: /modules/landing_zone/main.tf:119-127
	Calling File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: module.g4s.aws_kms_key.this
	File: /modules/landing_zone/main.tf:119-127
	Calling File: /main.tf:37-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.civica.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user
terraform scan results:

Passed checks: 27, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone
terraform scan results:

Passed checks: 126, Failed checks: 12, Skipped checks: 0

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.this
	File: /main.tf:119-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.landing_zone_security_groups.aws_security_group.this
	File: /server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group
terraform scan results:

Passed checks: 15, Failed checks: 1, Skipped checks: 0

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.this
	File: /main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }


checkov_exitcode=3

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone
terraform scan results:

Passed checks: 126, Failed checks: 12, Skipped checks: 0

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.this
	File: /main.tf:119-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.landing_zone_security_groups.aws_security_group.this
	File: /server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }


checkov_exitcode=4

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user terraform/environments/electronic-monitoring-data/modules/landing_zone terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group terraform/environments/electronic-monitoring-data/modules/landing_zone

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user/main.tf line 67:
  67: resource "aws_transfer_ssh_key" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `landing_bucket` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user/variables.tf line 1:
   1: variable "landing_bucket" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `transfer_server` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user/variables.tf line 15:
  15: variable "transfer_server" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 21:
  21: resource "random_string" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 337:
 337: resource "aws_iam_role_policy" "this_transfer_workflow" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `account_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 1:
   1: variable "account_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `data_store_bucket` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 5:
   5: variable "data_store_bucket" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `vpc_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 30:
  30: variable "vpc_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group/main.tf line 28:
  28: resource "aws_vpc_security_group_ingress_rule" "this_ipv6" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `vpc_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group/variables.tf line 23:
  23: variable "vpc_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=6

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 21:
  21: resource "random_string" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 337:
 337: resource "aws_iam_role_policy" "this_transfer_workflow" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `account_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 1:
   1: variable "account_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `data_store_bucket` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 5:
   5: variable "data_store_bucket" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `vpc_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 30:
  30: variable "vpc_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=8

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user terraform/environments/electronic-monitoring-data/modules/landing_zone terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group terraform/environments/electronic-monitoring-data/modules/landing_zone

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Results #1-6 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '97b69b01-230d-462b-a2c4-0e50c2b5fac9/' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/landing_zone_user/main.tf:57
via modules/landing_zone/main.tf:349-359 (module.landing_zone_users["0"])
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
46 data "aws_iam_policy_document" "this_transfer_user" {
..
57 [ resources = ["${var.landing_bucket.arn}/"]
..
59 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/landing_zone_user/main.tf:1-17 (module.capita) 6 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #7-9 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource '97b69b01-230d-462b-a2c4-0e50c2b5fac9/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:291
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
291 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #10-12 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '64ece238-be4a-42c0-90d0-5c9ff8f05fe8/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:300
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
300 [ resources = ["${var.data_store_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #13-18 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource '64ece238-be4a-42c0-90d0-5c9ff8f05fe8/' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:320-323
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
320 ┌ resources = [
321 │ "${var.data_store_bucket.arn}/",
322 │ "${aws_s3_bucket.landing_bucket.arn}/*",
323 └ ]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 6 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #19-21 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource '97b69b01-230d-462b-a2c4-0e50c2b5fac9/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:333
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
333 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #22-24 HIGH Bucket does not encrypt data with a customer managed key. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:37-45
via main.tf:19-35 (module.civica)
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:19-35 (module.civica)
• modules/landing_zone/main.tf:37-53 (module.g4s)
• modules/landing_zone/main.tf:1-17 (module.capita)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #25-28 HIGH Bucket does not encrypt data with a customer managed key. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:10-18
via s3.tf:5-10 (module.data_store_log_bucket)
────────────────────────────────────────────────────────────────────────────────
10 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
11 bucket = aws_s3_bucket.this.id
12
13 rule {
14 apply_server_side_encryption_by_default {
15 sse_algorithm = "AES256"
16 }
17 }
18 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
• modules/s3_log_bucket/main.tf:1-17 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #29 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:20-28
────────────────────────────────────────────────────────────────────────────────
20 resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
21 bucket = aws_s3_bucket.data_store.id
22
23 rule {
24 apply_server_side_encryption_by_default {
25 sse_algorithm = "AES256"
26 }
27 }
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #30-32 MEDIUM Key does not have rotation enabled. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:119-127
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_kms_key" "this" {
120 description = "${var.supplier} server cloudwatch log encryption key"
121 key_usage = "ENCRYPT_DECRYPT"
122 deletion_window_in_days = 30
123
124 tags = {
125 supplier = var.supplier
126 }
127 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-17 (module.capita)
• modules/landing_zone/main.tf:37-53 (module.g4s)
• modules/landing_zone/main.tf:19-35 (module.civica)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-kms-auto-rotate-keys
  Impact Long life KMS keys increase the attack surface when compromised
  Resolution Configure KMS key to auto rotate

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/kms/auto-rotate-keys/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation
  ────────────────────────────────────────────────────────────────────────────────

Results #33-35 MEDIUM Bucket does not have versioning enabled (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:84
via main.tf:37-53 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:37-53 (module.g4s)
• modules/landing_zone/main.tf:19-35 (module.civica)
• modules/landing_zone/main.tf:1-17 (module.capita)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-versioning
  Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Results #36-39 MEDIUM Bucket does not have logging enabled (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:2-8
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:1-17 (module.capita)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:1-17 (module.capita)
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
• modules/s3_log_bucket/main.tf:37-53 (module.g4s)
• modules/s3_log_bucket/main.tf:19-35 (module.civica)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-bucket-logging
  Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Results #40-43 MEDIUM Bucket does not have versioning enabled (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:2-8
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:37-53 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:37-53 (module.g4s)
• modules/s3_log_bucket/main.tf:19-35 (module.civica)
• modules/s3_log_bucket/main.tf:1-17 (module.capita)
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-versioning
  Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 944.204µs
parsing 78.258793ms
adaptation 7.874846ms
checks 10.508219ms
total 97.586062ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 20
blocks processed 295
files read 60

results
──────────────────────────────────────────
passed 121
ignored 0
critical 0
high 29
medium 14
low 0

121 passed, 43 potential problem(s) detected.

tfsec_exitcode=1

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 34.154µs
parsing 481.127µs
adaptation 132.327µs
checks 8.023702ms
total 8.67131ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 11
files read 2

results
──────────────────────────────────────────
passed 4
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=1

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource 'e194451f-8846-4df6-936d-b1bf8e1f2efb/'
────────────────────────────────────────────────────────────────────────────────
main.tf:291
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
291 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
main.tf:320-323
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
320 ┌ resources = [
321 │ "${var.data_store_bucket.arn}/",
322 │ "${aws_s3_bucket.landing_bucket.arn}/",
323 └ ]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource 'e194451f-8846-4df6-936d-b1bf8e1f2efb/'
────────────────────────────────────────────────────────────────────────────────
main.tf:333
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
333 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
main.tf:37-45
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:10-18
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
10 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
11 bucket = aws_s3_bucket.this.id
12
13 rule {
14 apply_server_side_encryption_by_default {
15 sse_algorithm = "AES256"
16 }
17 }
18 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Key does not have rotation enabled.
────────────────────────────────────────────────────────────────────────────────
main.tf:119-127
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_kms_key" "this" {
120 description = "${var.supplier} server cloudwatch log encryption key"
121 key_usage = "ENCRYPT_DECRYPT"
122 deletion_window_in_days = 30
123
124 tags = {
125 supplier = var.supplier
126 }
127 }
────────────────────────────────────────────────────────────────────────────────
ID aws-kms-auto-rotate-keys
Impact Long life KMS keys increase the attack surface when compromised
Resolution Configure KMS key to auto rotate

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/kms/auto-rotate-keys/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation
  ────────────────────────────────────────────────────────────────────────────────

Result #7 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
main.tf:84
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #8 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #9 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 115.546µs
parsing 2.909089ms
adaptation 361.044µs
checks 2.914107ms
total 6.299786ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 38
files read 5

results
──────────────────────────────────────────
passed 29
ignored 0
critical 0
high 5
medium 4
low 0

29 passed, 9 potential problem(s) detected.

tfsec_exitcode=2

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 44.713µs
parsing 386.892µs
adaptation 84.598µs
checks 3.263861ms
total 3.780064ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 1
blocks processed 9
files read 3

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=2

---

Running TFSEC in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource '9debcaba-17bb-4801-a506-61a0435716c1/'
────────────────────────────────────────────────────────────────────────────────
main.tf:291
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
291 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource ''
────────────────────────────────────────────────────────────────────────────────
main.tf:320-323
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
320 ┌ resources = [
321 │ "${var.data_store_bucket.arn}/",
322 │ "${aws_s3_bucket.landing_bucket.arn}/",
323 └ ]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource '9debcaba-17bb-4801-a506-61a0435716c1/'
────────────────────────────────────────────────────────────────────────────────
main.tf:333
────────────────────────────────────────────────────────────────────────────────
283 data "aws_iam_policy_document" "this_transfer_workflow" {
...
333 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
335 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #4 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
main.tf:37-45
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #5 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:10-18
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
10 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
11 bucket = aws_s3_bucket.this.id
12
13 rule {
14 apply_server_side_encryption_by_default {
15 sse_algorithm = "AES256"
16 }
17 }
18 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Key does not have rotation enabled.
────────────────────────────────────────────────────────────────────────────────
main.tf:119-127
────────────────────────────────────────────────────────────────────────────────
119 resource "aws_kms_key" "this" {
120 description = "${var.supplier} server cloudwatch log encryption key"
121 key_usage = "ENCRYPT_DECRYPT"
122 deletion_window_in_days = 30
123
124 tags = {
125 supplier = var.supplier
126 }
127 }
────────────────────────────────────────────────────────────────────────────────
ID aws-kms-auto-rotate-keys
Impact Long life KMS keys increase the attack surface when compromised
Resolution Configure KMS key to auto rotate

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/kms/auto-rotate-keys/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation
  ────────────────────────────────────────────────────────────────────────────────

Result #7 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
main.tf:84
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Result #8 MEDIUM Bucket does not have logging enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-bucket-logging
Impact There is no way to determine the access to this bucket
Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #9 MEDIUM Bucket does not have versioning enabled
────────────────────────────────────────────────────────────────────────────────
../s3_log_bucket/main.tf:2-8
via main.tf:105-113 (module.log_bucket)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-enable-versioning
Impact Deleted or modified data would not be recoverable
Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 83.145µs
parsing 2.953574ms
adaptation 364.33µs
checks 3.648338ms
total 7.049387ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 38
files read 5

results
──────────────────────────────────────────
passed 29
ignored 0
critical 0
high 5
medium 4
low 0

29 passed, 9 potential problem(s) detected.

tfsec_exitcode=3

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user terraform/environments/electronic-monitoring-data/modules/landing_zone terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group terraform/environments/electronic-monitoring-data/modules/landing_zone

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 430, Failed checks: 47, Skipped checks: 0

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: module.capita.aws_kms_key.this
	File: /modules/landing_zone/main.tf:119-127
	Calling File: /main.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: module.civica.aws_kms_key.this
	File: /modules/landing_zone/main.tf:119-127
	Calling File: /main.tf:19-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: module.g4s.aws_kms_key.this
	File: /modules/landing_zone/main.tf:119-127
	Calling File: /main.tf:37-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.civica.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user
terraform scan results:

Passed checks: 27, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone
terraform scan results:

Passed checks: 126, Failed checks: 12, Skipped checks: 0

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.this
	File: /main.tf:119-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.landing_zone_security_groups.aws_security_group.this
	File: /server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group
terraform scan results:

Passed checks: 15, Failed checks: 1, Skipped checks: 0

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.this
	File: /main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }


checkov_exitcode=3

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/landing_zone
terraform scan results:

Passed checks: 126, Failed checks: 12, Skipped checks: 0

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.this
	File: /main.tf:119-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		119 | resource "aws_kms_key" "this" {
		120 |   description             = "${var.supplier} server cloudwatch log encryption key"
		121 |   key_usage               = "ENCRYPT_DECRYPT"
		122 |   deletion_window_in_days = 30
		123 | 
		124 |   tags = {
		125 |     supplier = var.supplier
		126 |   }
		127 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.landing_zone_security_groups.aws_security_group.this
	File: /server_security_group/main.tf:7-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   tags = {
		13 |     supplier = var.user_name
		14 |   }
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.landing_bucket
	File: /main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.log_bucket.aws_s3_bucket.this
	File: /../s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }


checkov_exitcode=4

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user terraform/environments/electronic-monitoring-data/modules/landing_zone terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group terraform/environments/electronic-monitoring-data/modules/landing_zone

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user/main.tf line 67:
  67: resource "aws_transfer_ssh_key" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `landing_bucket` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user/variables.tf line 1:
   1: variable "landing_bucket" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `transfer_server` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/landing_zone_user/variables.tf line 15:
  15: variable "transfer_server" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 21:
  21: resource "random_string" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 337:
 337: resource "aws_iam_role_policy" "this_transfer_workflow" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `account_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 1:
   1: variable "account_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `data_store_bucket` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 5:
   5: variable "data_store_bucket" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `vpc_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 30:
  30: variable "vpc_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group/main.tf line 28:
  28: resource "aws_vpc_security_group_ingress_rule" "this_ipv6" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `vpc_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/server_security_group/variables.tf line 23:
  23: variable "vpc_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=6

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/landing_zone
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 21:
  21: resource "random_string" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/main.tf line 337:
 337: resource "aws_iam_role_policy" "this_transfer_workflow" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `account_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 1:
   1: variable "account_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `data_store_bucket` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 5:
   5: variable "data_store_bucket" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `vpc_id` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/modules/landing_zone/variables.tf line 30:
  30: variable "vpc_id" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=8

Trivy Scan

Show Output