Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add backuo cron #9065

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add backuo cron #9065

wants to merge 2 commits into from

Conversation

ffteva-moj
Copy link
Contributor

No description provided.

add backuo cron
54a99e0 
Signed-off-by: Fani Foteva <[email protected]>
@ffteva-moj ffteva-moj requested review from a team as code owners December 12, 2024 15:30
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/edw

Running Trivy in terraform/environments/edw
2024-12-12T15:33:01Z INFO [vulndb] Need to update DB
2024-12-12T15:33:01Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T15:33:01Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:33:04Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:33:04Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T15:33:04Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T15:33:04Z INFO [misconfig] Need to update the built-in checks
2024-12-12T15:33:04Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T15:33:04Z INFO [secret] Secret scanning is enabled
2024-12-12T15:33:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T15:33:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T15:33:05Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T15:33:05Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T15:33:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-12T15:33:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-12T15:33:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:33:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:33:08Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-12T15:33:08Z INFO Number of language-specific files num=0
2024-12-12T15:33:08Z INFO Detected config files num=6

backup_lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

ec2.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:597
via ec2.tf:594-598 (metadata_options)
via ec2.tf:576-609 (aws_instance.edw_db_instance)
────────────────────────────────────────
576 resource "aws_instance" "edw_db_instance" {
...
597 [ http_tokens = "optional"
...
609 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:576-609
────────────────────────────────────────
576 ┌ resource "aws_instance" "edw_db_instance" {
577 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
578 │ availability_zone = "eu-west-2a"
579 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
580 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
581 │ key_name = aws_key_pair.edw_ec2_key.key_name
582 │ subnet_id = data.aws_subnet.private_subnets_a.id
583 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
584 └ user_data_base64 = base64encode(local.db_userdata)
...
────────────────────────────────────────

secret-rotate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

AVD-AWS-0067 (CRITICAL): Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
secret-rotate.tf:189-193
────────────────────────────────────────
189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
190 │ action = "lambda:InvokeFunction"
191 │ function_name = aws_lambda_function.rotate_secret_function.function_name
192 │ principal = "secretsmanager.amazonaws.com"
193 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/edw

*****************************

Running Checkov in terraform/environments/edw
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 15:33:11,565 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-12 15:33:11,566 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 183, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /backup_lambda.tf:184-201

		184 | resource "aws_security_group" "backup_lambda" {
		185 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		186 |   description = "Bakcup Lambda Security Group"
		187 |   vpc_id      = data.aws_vpc.shared.id
		188 | 
		189 |   egress {
		190 |     description = "outbound access"
		191 |     from_port   = 0
		192 |     to_port     = 0
		193 |     protocol    = "-1"
		194 |     cidr_blocks = ["0.0.0.0/0"]
		195 |   }
		196 | 
		197 |   tags = merge(
		198 |     local.tags,
		199 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		200 |   )
		201 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion-${local.application_name}"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = false
		27 |   app_name           = var.networking[0].application
		28 |   business_unit      = local.vpc_name
		29 |   subnet_set         = local.subnet_set
		30 |   environment        = local.environment
		31 |   region             = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.edw_alerting_topic
	File: /cw.tf:544-552
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		544 | resource "aws_sns_topic" "edw_alerting_topic" {
		545 |   name = "${local.application_name}-SNS-topic"
		546 |   tags = merge(
		547 |     local.tags,
		548 |     {
		549 |       Name = "${local.application_name}-edw-alerting-topic"
		550 |     }
		551 |   )
		552 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: edw_pagerduty_core_alerts
	File: /cw.tf:574-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		574 | module "edw_pagerduty_core_alerts" {
		575 |   depends_on = [
		576 |     aws_sns_topic.edw_alerting_topic
		577 |   ]
		578 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		579 |   sns_topics                = [aws_sns_topic.edw_alerting_topic.name]
		580 |   pagerduty_integration_key = local.edw_pagerduty_integration_keys[local.edw_pagerduty_integration_key_name]
		581 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.edw_ec2_role_policy
	File: /ec2.tf:491-554
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.edw_ec2_role_policy
	File: /ec2.tf:491-554
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:576-609
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		576 | resource "aws_instance" "edw_db_instance" {
		577 |   ami                         = local.application_data.accounts[local.environment].edw_ec2_ami_id
		578 |   availability_zone           = "eu-west-2a"
		579 |   instance_type               = local.application_data.accounts[local.environment].edw_ec2_instance_type
		580 |   iam_instance_profile        = aws_iam_instance_profile.edw_ec2_instance_profile.id
		581 |   key_name                    = aws_key_pair.edw_ec2_key.key_name
		582 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		583 |   vpc_security_group_ids      = [aws_security_group.edw_db_security_group.id]
		584 |   user_data_base64            = base64encode(local.db_userdata)
		585 |   user_data_replace_on_change = true
		586 | 
		587 |   root_block_device {
		588 |     tags = merge(
		589 |       local.tags,
		590 |       { "Name" = "${local.application_name}-root-volume" }
		591 |     )
		592 |   }
		593 | 
		594 |   metadata_options {
		595 |     http_endpoint               = "enabled"
		596 |     http_put_response_hop_limit = 2
		597 |     http_tokens                 = "optional"
		598 |   }
		599 | 
		600 |   lifecycle {
		601 |     create_before_destroy = true
		602 |   }
		603 | 
		604 |   tags = merge(
		605 |     local.tags,
		606 |     { "Name" = local.application_data.accounts[local.environment].database_ec2_name },
		607 |     { "instance-scheduling" = "skip-scheduling" }
		608 |   )
		609 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:576-609
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		576 | resource "aws_instance" "edw_db_instance" {
		577 |   ami                         = local.application_data.accounts[local.environment].edw_ec2_ami_id
		578 |   availability_zone           = "eu-west-2a"
		579 |   instance_type               = local.application_data.accounts[local.environment].edw_ec2_instance_type
		580 |   iam_instance_profile        = aws_iam_instance_profile.edw_ec2_instance_profile.id
		581 |   key_name                    = aws_key_pair.edw_ec2_key.key_name
		582 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		583 |   vpc_security_group_ids      = [aws_security_group.edw_db_security_group.id]
		584 |   user_data_base64            = base64encode(local.db_userdata)
		585 |   user_data_replace_on_change = true
		586 | 
		587 |   root_block_device {
		588 |     tags = merge(
		589 |       local.tags,
		590 |       { "Name" = "${local.application_name}-root-volume" }
		591 |     )
		592 |   }
		593 | 
		594 |   metadata_options {
		595 |     http_endpoint               = "enabled"
		596 |     http_put_response_hop_limit = 2
		597 |     http_tokens                 = "optional"
		598 |   }
		599 | 
		600 |   lifecycle {
		601 |     create_before_destroy = true
		602 |   }
		603 | 
		604 |   tags = merge(
		605 |     local.tags,
		606 |     { "Name" = local.application_data.accounts[local.environment].database_ec2_name },
		607 |     { "instance-scheduling" = "skip-scheduling" }
		608 |   )
		609 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /ec2.tf:745-752
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		745 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		746 |   security_group_id            = aws_security_group.edw_db_security_group.id
		747 |   description                  = "SSH from the Bastion"
		748 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		749 |   from_port                    = 22
		750 |   ip_protocol                  = "tcp"
		751 |   to_port                      = 22
		752 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:754-761
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		754 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		755 |   security_group_id            = aws_security_group.edw_db_security_group.id
		756 |   description                  = "Allow Lambda SSH access for backup snapshots"
		757 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		758 |   from_port                    = 22
		759 |   ip_protocol                  = "tcp"
		760 |   to_port                      = 22
		761 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.all_out
	File: /ec2.tf:790-794
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		790 | resource "aws_vpc_security_group_egress_rule" "all_out" {
		791 |   security_group_id = aws_security_group.edw_db_security_group.id
		792 |   cidr_ipv4         = "0.0.0.0/0"
		793 |   ip_protocol       = "-1"
		794 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db-master-password2
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "db-master-password2" {
		14 |   name        = "${local.application_name}/app/db-master-password2"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password2-"
		21 |     }
		22 |   )
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.edw_db_ec2_root_secret
	File: /secret-rotate.tf:43-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		43 | resource "aws_secretsmanager_secret" "edw_db_ec2_root_secret" {
		44 |   name        = "${local.application_name}/app/db-EC2-root-password-${random_string.edw-root-secret_id_suffix.result}"
		45 |   description = "EDW DB EC2 Root Password"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     {
		50 |       Name = "${local.application_name}-ec2-system-root-password"
		51 |     }
		52 |   )
		53 | }

Check: CKV_AWS_304: "Ensure Secrets Manager secrets should be rotated within 90 days"
	FAILED for resource: aws_secretsmanager_secret_rotation.edw_db_root_rotate
	File: /secret-rotate.tf:60-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-304

		60 | resource "aws_secretsmanager_secret_rotation" "edw_db_root_rotate" {
		61 |   secret_id           = aws_secretsmanager_secret.edw_db_ec2_root_secret.id
		62 |   rotation_lambda_arn = aws_lambda_function.rotate_secret_function.arn
		63 |   rotate_immediately  = true
		64 | 
		65 |   rotation_rules {
		66 |     automatically_after_days = local.application_data.accounts[local.environment].secret_rotation_frequency_days
		67 |   }
		68 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.rotate_secret_function_permission
	File: /secret-rotate.tf:189-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		189 | resource "aws_lambda_permission" "rotate_secret_function_permission" {
		190 |   action        = "lambda:InvokeFunction"
		191 |   function_name = aws_lambda_function.rotate_secret_function.function_name
		192 |   principal     = "secretsmanager.amazonaws.com"
		193 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db-master-password2
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "db-master-password2" {
		14 |   name        = "${local.application_name}/app/db-master-password2"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password2-"
		21 |     }
		22 |   )
		23 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/edw

*****************************

Running tflint in terraform/environments/edw
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/backup_lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 38:
  38: resource "random_string" "edw-initial_root_secret_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 75:
  75: data "archive_file" "lambda_inline_code" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/secret-rotate.tf line 81:
  81:     content  = file("${local.application_data.accounts[local.environment].lambda_function_inline_code_filename}")

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/edw

*****************************

Running Trivy in terraform/environments/edw
2024-12-12T15:33:01Z	INFO	[vulndb] Need to update DB
2024-12-12T15:33:01Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T15:33:01Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:33:04Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:33:04Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T15:33:04Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T15:33:04Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T15:33:04Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T15:33:04Z	INFO	[secret] Secret scanning is enabled
2024-12-12T15:33:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T15:33:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T15:33:05Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T15:33:05Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T15:33:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-12T15:33:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-12T15:33:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:33:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:33:08Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-12T15:33:08Z	INFO	Number of language-specific files	num=0
2024-12-12T15:33:08Z	INFO	Detected config files	num=6

backup_lambda.tf (terraform)
============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:597
   via ec2.tf:594-598 (metadata_options)
    via ec2.tf:576-609 (aws_instance.edw_db_instance)
────────────────────────────────────────
 576   resource "aws_instance" "edw_db_instance" {
 ...   
 597 [     http_tokens                 = "optional"
 ...   
 609   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:576-609
────────────────────────────────────────
 576resource "aws_instance" "edw_db_instance" {
 577 │   ami                         = local.application_data.accounts[local.environment].edw_ec2_ami_id
 578 │   availability_zone           = "eu-west-2a"
 579 │   instance_type               = local.application_data.accounts[local.environment].edw_ec2_instance_type
 580 │   iam_instance_profile        = aws_iam_instance_profile.edw_ec2_instance_profile.id
 581 │   key_name                    = aws_key_pair.edw_ec2_key.key_name
 582 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 583 │   vpc_security_group_ids      = [aws_security_group.edw_db_security_group.id]
 584 └   user_data_base64            = base64encode(local.db_userdata)
 ...   
────────────────────────────────────────



secret-rotate.tf (terraform)
============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

AVD-AWS-0067 (CRITICAL): Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 secret-rotate.tf:189-193
────────────────────────────────────────
 189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
 190 │   action        = "lambda:InvokeFunction"
 191 │   function_name = aws_lambda_function.rotate_secret_function.function_name
 192 │   principal     = "secretsmanager.amazonaws.com"
 193 └ }
────────────────────────────────────────


trivy_exitcode=1

pdate backup code
3d4c01b 
Signed-off-by: Fani Foteva <[email protected]>
@ffteva-moj ffteva-moj deployed to edw-development December 12, 2024 22:10 — with GitHub Actions Active
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/edw

Running Trivy in terraform/environments/edw
2024-12-12T22:11:27Z INFO [vulndb] Need to update DB
2024-12-12T22:11:27Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T22:11:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T22:11:29Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T22:11:29Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T22:11:29Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T22:11:29Z INFO [misconfig] Need to update the built-in checks
2024-12-12T22:11:29Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T22:11:29Z INFO [secret] Secret scanning is enabled
2024-12-12T22:11:29Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T22:11:29Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T22:11:30Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T22:11:30Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T22:11:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-12T22:11:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-12T22:11:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T22:11:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T22:11:32Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-12T22:11:32Z INFO Number of language-specific files num=0
2024-12-12T22:11:32Z INFO Detected config files num=6

backup_lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

ec2.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:598
via ec2.tf:595-599 (metadata_options)
via ec2.tf:577-610 (aws_instance.edw_db_instance)
────────────────────────────────────────
577 resource "aws_instance" "edw_db_instance" {
...
598 [ http_tokens = "optional"
...
610 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:577-610
────────────────────────────────────────
577 ┌ resource "aws_instance" "edw_db_instance" {
578 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
579 │ availability_zone = "eu-west-2a"
580 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
581 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
582 │ key_name = aws_key_pair.edw_ec2_key.key_name
583 │ subnet_id = data.aws_subnet.private_subnets_a.id
584 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
585 └ user_data_base64 = base64encode(local.db_userdata)
...
────────────────────────────────────────

secret-rotate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

AVD-AWS-0067 (CRITICAL): Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
secret-rotate.tf:189-193
────────────────────────────────────────
189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
190 │ action = "lambda:InvokeFunction"
191 │ function_name = aws_lambda_function.rotate_secret_function.function_name
192 │ principal = "secretsmanager.amazonaws.com"
193 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/edw

*****************************

Running Checkov in terraform/environments/edw
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 22:11:35,327 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-12 22:11:35,328 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 183, Failed checks: 67, Skipped checks: 0

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /backup_lambda.tf:184-201

		184 | resource "aws_security_group" "backup_lambda" {
		185 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		186 |   description = "Bakcup Lambda Security Group"
		187 |   vpc_id      = data.aws_vpc.shared.id
		188 | 
		189 |   egress {
		190 |     description = "outbound access"
		191 |     from_port   = 0
		192 |     to_port     = 0
		193 |     protocol    = "-1"
		194 |     cidr_blocks = ["0.0.0.0/0"]
		195 |   }
		196 | 
		197 |   tags = merge(
		198 |     local.tags,
		199 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		200 |   )
		201 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion-${local.application_name}"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = false
		27 |   app_name           = var.networking[0].application
		28 |   business_unit      = local.vpc_name
		29 |   subnet_set         = local.subnet_set
		30 |   environment        = local.environment
		31 |   region             = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.edw_alerting_topic
	File: /cw.tf:544-552
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		544 | resource "aws_sns_topic" "edw_alerting_topic" {
		545 |   name = "${local.application_name}-SNS-topic"
		546 |   tags = merge(
		547 |     local.tags,
		548 |     {
		549 |       Name = "${local.application_name}-edw-alerting-topic"
		550 |     }
		551 |   )
		552 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: edw_pagerduty_core_alerts
	File: /cw.tf:574-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		574 | module "edw_pagerduty_core_alerts" {
		575 |   depends_on = [
		576 |     aws_sns_topic.edw_alerting_topic
		577 |   ]
		578 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		579 |   sns_topics                = [aws_sns_topic.edw_alerting_topic.name]
		580 |   pagerduty_integration_key = local.edw_pagerduty_integration_keys[local.edw_pagerduty_integration_key_name]
		581 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.edw_ec2_role_policy
	File: /ec2.tf:492-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.edw_ec2_role_policy
	File: /ec2.tf:492-555
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:577-610
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		577 | resource "aws_instance" "edw_db_instance" {
		578 |   ami                         = local.application_data.accounts[local.environment].edw_ec2_ami_id
		579 |   availability_zone           = "eu-west-2a"
		580 |   instance_type               = local.application_data.accounts[local.environment].edw_ec2_instance_type
		581 |   iam_instance_profile        = aws_iam_instance_profile.edw_ec2_instance_profile.id
		582 |   key_name                    = aws_key_pair.edw_ec2_key.key_name
		583 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		584 |   vpc_security_group_ids      = [aws_security_group.edw_db_security_group.id]
		585 |   user_data_base64            = base64encode(local.db_userdata)
		586 |   user_data_replace_on_change = true
		587 | 
		588 |   root_block_device {
		589 |     tags = merge(
		590 |       local.tags,
		591 |       { "Name" = "${local.application_name}-root-volume" }
		592 |     )
		593 |   }
		594 | 
		595 |   metadata_options {
		596 |     http_endpoint               = "enabled"
		597 |     http_put_response_hop_limit = 2
		598 |     http_tokens                 = "optional"
		599 |   }
		600 | 
		601 |   lifecycle {
		602 |     create_before_destroy = true
		603 |   }
		604 | 
		605 |   tags = merge(
		606 |     local.tags,
		607 |     { "Name" = local.application_data.accounts[local.environment].database_ec2_name },
		608 |     { "instance-scheduling" = "skip-scheduling" }
		609 |   )
		610 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:577-610
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		577 | resource "aws_instance" "edw_db_instance" {
		578 |   ami                         = local.application_data.accounts[local.environment].edw_ec2_ami_id
		579 |   availability_zone           = "eu-west-2a"
		580 |   instance_type               = local.application_data.accounts[local.environment].edw_ec2_instance_type
		581 |   iam_instance_profile        = aws_iam_instance_profile.edw_ec2_instance_profile.id
		582 |   key_name                    = aws_key_pair.edw_ec2_key.key_name
		583 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		584 |   vpc_security_group_ids      = [aws_security_group.edw_db_security_group.id]
		585 |   user_data_base64            = base64encode(local.db_userdata)
		586 |   user_data_replace_on_change = true
		587 | 
		588 |   root_block_device {
		589 |     tags = merge(
		590 |       local.tags,
		591 |       { "Name" = "${local.application_name}-root-volume" }
		592 |     )
		593 |   }
		594 | 
		595 |   metadata_options {
		596 |     http_endpoint               = "enabled"
		597 |     http_put_response_hop_limit = 2
		598 |     http_tokens                 = "optional"
		599 |   }
		600 | 
		601 |   lifecycle {
		602 |     create_before_destroy = true
		603 |   }
		604 | 
		605 |   tags = merge(
		606 |     local.tags,
		607 |     { "Name" = local.application_data.accounts[local.environment].database_ec2_name },
		608 |     { "instance-scheduling" = "skip-scheduling" }
		609 |   )
		610 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /ec2.tf:746-753
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		746 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		747 |   security_group_id            = aws_security_group.edw_db_security_group.id
		748 |   description                  = "SSH from the Bastion"
		749 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		750 |   from_port                    = 22
		751 |   ip_protocol                  = "tcp"
		752 |   to_port                      = 22
		753 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:755-762
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		755 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		756 |   security_group_id            = aws_security_group.edw_db_security_group.id
		757 |   description                  = "Allow Lambda SSH access for backup snapshots"
		758 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		759 |   from_port                    = 22
		760 |   ip_protocol                  = "tcp"
		761 |   to_port                      = 22
		762 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.all_out
	File: /ec2.tf:791-795
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		791 | resource "aws_vpc_security_group_egress_rule" "all_out" {
		792 |   security_group_id = aws_security_group.edw_db_security_group.id
		793 |   cidr_ipv4         = "0.0.0.0/0"
		794 |   ip_protocol       = "-1"
		795 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db-master-password2
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "db-master-password2" {
		14 |   name        = "${local.application_name}/app/db-master-password2"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password2-"
		21 |     }
		22 |   )
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.edw_db_ec2_root_secret
	File: /secret-rotate.tf:43-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		43 | resource "aws_secretsmanager_secret" "edw_db_ec2_root_secret" {
		44 |   name        = "${local.application_name}/app/db-EC2-root-password-${random_string.edw-root-secret_id_suffix.result}"
		45 |   description = "EDW DB EC2 Root Password"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     {
		50 |       Name = "${local.application_name}-ec2-system-root-password"
		51 |     }
		52 |   )
		53 | }

Check: CKV_AWS_304: "Ensure Secrets Manager secrets should be rotated within 90 days"
	FAILED for resource: aws_secretsmanager_secret_rotation.edw_db_root_rotate
	File: /secret-rotate.tf:60-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-304

		60 | resource "aws_secretsmanager_secret_rotation" "edw_db_root_rotate" {
		61 |   secret_id           = aws_secretsmanager_secret.edw_db_ec2_root_secret.id
		62 |   rotation_lambda_arn = aws_lambda_function.rotate_secret_function.arn
		63 |   rotate_immediately  = true
		64 | 
		65 |   rotation_rules {
		66 |     automatically_after_days = local.application_data.accounts[local.environment].secret_rotation_frequency_days
		67 |   }
		68 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.rotate_secret_function_permission
	File: /secret-rotate.tf:189-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		189 | resource "aws_lambda_permission" "rotate_secret_function_permission" {
		190 |   action        = "lambda:InvokeFunction"
		191 |   function_name = aws_lambda_function.rotate_secret_function.function_name
		192 |   principal     = "secretsmanager.amazonaws.com"
		193 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db-master-password2
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "db-master-password2" {
		14 |   name        = "${local.application_name}/app/db-master-password2"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password2-"
		21 |     }
		22 |   )
		23 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/edw

*****************************

Running tflint in terraform/environments/edw
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/platform_providers.tf line 60:
  60: provider "time" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 38:
  38: resource "random_string" "edw-initial_root_secret_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 75:
  75: data "archive_file" "lambda_inline_code" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/secret-rotate.tf line 81:
  81:     content  = file("${local.application_data.accounts[local.environment].lambda_function_inline_code_filename}")

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/edw

*****************************

Running Trivy in terraform/environments/edw
2024-12-12T22:11:27Z	INFO	[vulndb] Need to update DB
2024-12-12T22:11:27Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T22:11:27Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T22:11:29Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T22:11:29Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T22:11:29Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T22:11:29Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T22:11:29Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T22:11:29Z	INFO	[secret] Secret scanning is enabled
2024-12-12T22:11:29Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T22:11:29Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T22:11:30Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T22:11:30Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T22:11:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-12T22:11:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-12T22:11:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T22:11:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T22:11:32Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-12T22:11:32Z	INFO	Number of language-specific files	num=0
2024-12-12T22:11:32Z	INFO	Detected config files	num=6

backup_lambda.tf (terraform)
============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:598
   via ec2.tf:595-599 (metadata_options)
    via ec2.tf:577-610 (aws_instance.edw_db_instance)
────────────────────────────────────────
 577   resource "aws_instance" "edw_db_instance" {
 ...   
 598 [     http_tokens                 = "optional"
 ...   
 610   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:577-610
────────────────────────────────────────
 577resource "aws_instance" "edw_db_instance" {
 578 │   ami                         = local.application_data.accounts[local.environment].edw_ec2_ami_id
 579 │   availability_zone           = "eu-west-2a"
 580 │   instance_type               = local.application_data.accounts[local.environment].edw_ec2_instance_type
 581 │   iam_instance_profile        = aws_iam_instance_profile.edw_ec2_instance_profile.id
 582 │   key_name                    = aws_key_pair.edw_ec2_key.key_name
 583 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 584 │   vpc_security_group_ids      = [aws_security_group.edw_db_security_group.id]
 585 └   user_data_base64            = base64encode(local.db_userdata)
 ...   
────────────────────────────────────────



secret-rotate.tf (terraform)
============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

AVD-AWS-0067 (CRITICAL): Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 secret-rotate.tf:189-193
────────────────────────────────────────
 189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
 190 │   action        = "lambda:InvokeFunction"
 191 │   function_name = aws_lambda_function.rotate_secret_function.function_name
 192 │   principal     = "secretsmanager.amazonaws.com"
 193 └ }
────────────────────────────────────────


trivy_exitcode=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ffteva-moj