Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TM-770 Remove vault used for migrating EFS #9075

Merged
merged 1 commit into from
Dec 13, 2024
Merged

TM-770 Remove vault used for migrating EFS #9075

merged 1 commit into from
Dec 13, 2024

Conversation

vc13837
Copy link
Contributor

@vc13837 vc13837 commented Dec 13, 2024

No description provided.

@vc13837 vc13837 requested review from a team as code owners December 13, 2024 10:45
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 13, 2024
@vc13837 vc13837 deployed to apex-development December 13, 2024 10:46 — with GitHub Actions Active
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role


Running Trivy in terraform/environments/apex
2024-12-13T10:47:15Z INFO [vulndb] Need to update DB
2024-12-13T10:47:15Z INFO [vulndb] Downloading vulnerability DB...
2024-12-13T10:47:15Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T10:47:17Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T10:47:17Z INFO [vuln] Vulnerability scanning is enabled
2024-12-13T10:47:17Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-13T10:47:17Z INFO [misconfig] Need to update the built-in checks
2024-12-13T10:47:17Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-13T10:47:17Z INFO [secret] Secret scanning is enabled
2024-12-13T10:47:17Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T10:47:17Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T10:47:18Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-13T10:47:18Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-13T10:47:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:19Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-13T10:47:19Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-13T10:47:19Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-13T10:47:19Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-13T10:47:20Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-13T10:47:20Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T10:47:21Z INFO Number of language-specific files num=0
2024-12-13T10:47:21Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
2024-12-13T10:47:21Z INFO [vuln] Vulnerability scanning is enabled
2024-12-13T10:47:21Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-13T10:47:21Z INFO [secret] Secret scanning is enabled
2024-12-13T10:47:21Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T10:47:21Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T10:47:22Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-13T10:47:22Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="athena_dump_bucket, cadt_bucket, database_name, environment, name, oidc_arn, secret_code, source_data_bucket"
2024-12-13T10:47:22Z INFO Number of language-specific files num=0
2024-12-13T10:47:22Z INFO Detected config files num=1
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-13 10:47:24,989 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-13 10:47:24,989 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 357, Failed checks: 101, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:59-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		59 | resource "aws_waf_web_acl" "waf_acl" {
		60 |   depends_on = [
		61 |     aws_waf_rule.wafmanualallowrule,
		62 |     aws_waf_rule.wafmanualblockrule,
		63 |   ]
		64 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		65 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		66 |   #   scope    = "CLOUDFRONT"
		67 |   #   provider = aws.us-east-1
		68 |   default_action {
		69 |     type = "BLOCK"
		70 |   }
		71 | 
		72 |   rules {
		73 |     action {
		74 |       type = "ALLOW"
		75 |     }
		76 |     priority = 1
		77 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		78 |     type     = "REGULAR"
		79 |   }
		80 | 
		81 |   rules {
		82 |     action {
		83 |       type = "BLOCK"
		84 |     }
		85 |     priority = 2
		86 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		87 |     type     = "REGULAR"
		88 |   }
		89 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 2


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/apex
terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role

*****************************

Running Trivy in terraform/environments/apex
2024-12-13T10:47:15Z	INFO	[vulndb] Need to update DB
2024-12-13T10:47:15Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-13T10:47:15Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T10:47:17Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T10:47:17Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-13T10:47:17Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-13T10:47:17Z	INFO	[misconfig] Need to update the built-in checks
2024-12-13T10:47:17Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-13T10:47:17Z	INFO	[secret] Secret scanning is enabled
2024-12-13T10:47:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T10:47:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T10:47:18Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-13T10:47:18Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-13T10:47:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T10:47:19Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-13T10:47:19Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-13T10:47:19Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-13T10:47:19Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-13T10:47:20Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-13T10:47:20Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T10:47:21Z	INFO	Number of language-specific files	num=0
2024-12-13T10:47:21Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role
2024-12-13T10:47:21Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-13T10:47:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-13T10:47:21Z	INFO	[secret] Secret scanning is enabled
2024-12-13T10:47:21Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T10:47:21Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T10:47:22Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-13T10:47:22Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="athena_dump_bucket, cadt_bucket, database_name, environment, name, oidc_arn, secret_code, source_data_bucket"
2024-12-13T10:47:22Z	INFO	Number of language-specific files	num=0
2024-12-13T10:47:22Z	INFO	Detected config files	num=1
trivy_exitcode=1

@vc13837 vc13837 merged commit 117587d into main Dec 13, 2024
15 of 16 checks passed
@vc13837 vc13837 deleted the TM-770 branch December 13, 2024 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants