Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update bastion_linux.json #8948

Merged
merged 1 commit into from
Dec 3, 2024
Merged

Update bastion_linux.json #8948

merged 1 commit into from
Dec 3, 2024

Conversation

gdinu-moj
Copy link
Contributor

Added georged ssh key

@gdinu-moj
Update bastion_linux.json
f88cd5a 
Added georged ssh key
@gdinu-moj gdinu-moj requested review from a team as code owners December 3, 2024 14:50
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 3, 2024
@gdinu-moj gdinu-moj deployed to xhibit-portal-development December 3, 2024 14:51 — with GitHub Actions Active
zoltan-paldi
zoltan-paldi approved these changes Dec 3, 2024
View reviewed changes
Copy link
Contributor

@zoltan-paldi zoltan-paldi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change looks fine and approved.

@gdinu-moj gdinu-moj merged commit 0b14991 into main Dec 3, 2024
13 of 14 checks passed
@gdinu-moj gdinu-moj deleted the gdinu-moj-patch-1 branch December 3, 2024 14:53
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role

Running Trivy in terraform/environments/electronic-monitoring-data
2024-12-03T14:52:26Z INFO [vulndb] Need to update DB
2024-12-03T14:52:26Z INFO [vulndb] Downloading vulnerability DB...
2024-12-03T14:52:26Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:52:29Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:52:29Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T14:52:29Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T14:52:29Z INFO [misconfig] Need to update the built-in checks
2024-12-03T14:52:29Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-03T14:52:29Z INFO [secret] Secret scanning is enabled
2024-12-03T14:52:29Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:52:29Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:52:30Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-12-03T14:52:31Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T14:52:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:34Z INFO [terraform scanner] Scanning root module file_path="glue-job/Archived"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-03T14:52:39Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-03T14:52:40Z INFO Number of language-specific files num=1
2024-12-03T14:52:40Z INFO [pip] Detecting vulnerabilities...
2024-12-03T14:52:40Z INFO Detected config files num=17

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
2024-12-03T14:52:40Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T14:52:40Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T14:52:40Z INFO [secret] Secret scanning is enabled
2024-12-03T14:52:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:52:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:52:41Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T14:52:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="environment, iam_policy_document, oidc_arn, role_description, role_name_suffix, secret_code"
2024-12-03T14:52:41Z INFO Number of language-specific files num=0
2024-12-03T14:52:41Z INFO Detected config files num=1
trivy_exitcode=1

Running Trivy in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
2024-12-03T14:52:41Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T14:52:41Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T14:52:41Z INFO [secret] Secret scanning is enabled
2024-12-03T14:52:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:52:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:52:42Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T14:52:42Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="athena_dump_bucket, cadt_bucket, database_name, environment, name, oidc_arn, secret_code, source_data_bucket"
2024-12-03T14:52:42Z INFO Number of language-specific files num=0
2024-12-03T14:52:42Z INFO Detected config files num=1
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-03 14:52:44,522 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-12-03 14:52:44,522 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-12-03 14:52:44,523 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.48.0 (for external modules, the --download-external-modules flag is required)
2024-12-03 14:52:44,523 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-12-03 14:52:44,523 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-12-03 14:52:44,523 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2975, Failed checks: 80, Skipped checks: 95

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_events
	File: /data_store.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "s3_events" {
		18 |   name = "${module.s3-data-bucket.bucket.id}-object-created-topic"
		19 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.create_or_refresh_dv_table
	File: /dms_data_validation_glue_job_v2.tf:662-665
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		662 | resource "aws_cloudwatch_log_group" "create_or_refresh_dv_table" {
		663 |   name              = "create-or-refresh-dv-table"
		664 |   retention_in_days = 14
		665 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.create_or_refresh_dv_table
	File: /dms_data_validation_glue_job_v2.tf:662-665
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		662 | resource "aws_cloudwatch_log_group" "create_or_refresh_dv_table" {
		663 |   name              = "create-or-refresh-dv-table"
		664 |   retention_in_days = 14
		665 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.create_or_refresh_dv_table
	File: /dms_data_validation_glue_job_v2.tf:675-705
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		675 | resource "aws_glue_job" "create_or_refresh_dv_table" {
		676 |   count = local.gluejob_count
		677 | 
		678 |   name              = "create-or-refresh-dv-table"
		679 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		680 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		681 |   glue_version      = "4.0"
		682 |   worker_type       = "G.1X"
		683 |   number_of_workers = 2
		684 |   default_arguments = {
		685 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		686 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		687 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		688 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.create_or_refresh_dv_table.name
		689 |     "--enable-continuous-cloudwatch-log" = "true"
		690 |     "--enable-continuous-log-filter"     = "true"
		691 |     "--enable-metrics"                   = ""
		692 |   }
		693 |   command {
		694 |     python_version  = "3"
		695 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_refresh_dv_table.py"
		696 |   }
		697 | 
		698 |   tags = merge(
		699 |     local.tags,
		700 |     {
		701 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		702 |     }
		703 |   )
		704 | 
		705 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.athena_layer.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 17, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 2


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 151:
 151: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role/main.tf line 1:

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role/main.tf line 52:
  52: resource "aws_iam_role_policy_attachment" "role_ap_airflow" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=4

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-12-03T14:52:26Z	INFO	[vulndb] Need to update DB
2024-12-03T14:52:26Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-03T14:52:26Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:52:29Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:52:29Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T14:52:29Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T14:52:29Z	INFO	[misconfig] Need to update the built-in checks
2024-12-03T14:52:29Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-03T14:52:29Z	INFO	[secret] Secret scanning is enabled
2024-12-03T14:52:29Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:52:29Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:52:30Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-12-03T14:52:31Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T14:52:31Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:52:34Z	INFO	[terraform scanner] Scanning root module	file_path="glue-job/Archived"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-03T14:52:39Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-03T14:52:40Z	INFO	Number of language-specific files	num=1
2024-12-03T14:52:40Z	INFO	[pip] Detecting vulnerabilities...
2024-12-03T14:52:40Z	INFO	Detected config files	num=17

lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data/modules/ap_airflow_iam_role
2024-12-03T14:52:40Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T14:52:40Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T14:52:40Z	INFO	[secret] Secret scanning is enabled
2024-12-03T14:52:40Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:52:40Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:52:41Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T14:52:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="environment, iam_policy_document, oidc_arn, role_description, role_name_suffix, secret_code"
2024-12-03T14:52:41Z	INFO	Number of language-specific files	num=0
2024-12-03T14:52:41Z	INFO	Detected config files	num=1
trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
2024-12-03T14:52:41Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T14:52:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T14:52:41Z	INFO	[secret] Secret scanning is enabled
2024-12-03T14:52:41Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:52:41Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:52:42Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T14:52:42Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="athena_dump_bucket, cadt_bucket, database_name, environment, name, oidc_arn, secret_code, source_data_bucket"
2024-12-03T14:52:42Z	INFO	Number of language-specific files	num=0
2024-12-03T14:52:42Z	INFO	Detected config files	num=1
trivy_exitcode=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zoltan-paldi zoltan-paldi zoltan-paldi approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gdinu-moj @zoltan-paldi