Issues do Checkov #3
Description
checkov -d .
[ secrets framework ]: 100%|████████████████████|[16/16], Current File Scanned=./modules/ses/variables.tf
[ terraform framework ]: 100%|████████████████████|[16/16], Current File Scanned=vpc.tf
_ _
| | ___ | | _______ __
/ _| ' \ / _ / | |/ / _ \ \ / /
| (| | | | / (| < () \ V /
_|| ||_|_||____/ _/
By Prisma Cloud | version: 3.2.470
Update available 3.2.470 -> 3.2.504
Run pip3 install -U checkov to update
terraform scan results:
Passed checks: 40, Failed checks: 21, Skipped checks: 0
Check: CKV_AWS_234: "Verify logging preference for ACM certificates"
PASSED for resource: aws_acm_certificate.wildcard_api
File: /certificates.tf:2-15
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-acm-certificates-has-logging-preference
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
PASSED for resource: aws_acm_certificate.wildcard_api
File: /certificates.tf:2-15
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
Check: CKV_AWS_88: "EC2 instance should not have public IP."
PASSED for resource: aws_instance.database["development"]
File: /ec2-databases.tf:26-49
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-12
Check: CKV_AWS_46: "Ensure no hard-coded secrets exist in EC2 user data"
PASSED for resource: aws_instance.database["development"]
File: /ec2-databases.tf:26-49
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-1
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
PASSED for resource: aws_iam_role.ssm_instance_role
File: /iam.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-274
Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services"
PASSED for resource: aws_iam_role.ssm_instance_role
File: /iam.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45
Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it"
PASSED for resource: aws_iam_role.ssm_instance_role
File: /iam.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-44
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
PASSED for resource: aws_iam_role_policy_attachment.ssm_instance_role_policy_attachment
File: /iam.tf:21-24
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-274
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
PASSED for resource: aws_iam_role_policy_attachment.ssm_instance_cloudwatch_policy
File: /iam.tf:27-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-274
Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider"
PASSED for resource: aws.default
File: /main.tf:17-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-5
Check: CKV2_AWS_70: "Ensure API gateway method has authorization or API key set"
PASSED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_method.proxy
File: /modules/backend/api-gateway.tf:19-24
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-2-70
Check: CKV2_AWS_70: "Ensure API gateway method has authorization or API key set"
PASSED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_method.proxy_root
File: /modules/backend/api-gateway.tf:27-32
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-2-70
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
PASSED for resource: module.abnmo_svm_backend["development"].aws_lambda_permission.api_gw
File: /modules/backend/api-gateway.tf:57-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364
Check: CKV_AWS_301: "Ensure that AWS Lambda function is not publicly accessible"
PASSED for resource: module.abnmo_svm_backend["development"].aws_lambda_permission.api_gw
File: /modules/backend/api-gateway.tf:57-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-301
Check: CKV_AWS_217: "Ensure Create before destroy for API deployments"
PASSED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_deployment.this
File: /modules/backend/api-gateway.tf:66-90
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-api-deployments-enable-create-before-destroy
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
PASSED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_method.options_proxy
File: /modules/backend/api-gateway.tf:127-132
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
PASSED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_method.options_root
File: /modules/backend/api-gateway.tf:135-140
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role.lambda_exec_role
File: /modules/backend/iam.tf:1-15
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-274
Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role.lambda_exec_role
File: /modules/backend/iam.tf:1-15
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45
Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role.lambda_exec_role
File: /modules/backend/iam.tf:1-15
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-44
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role_policy_attachment.lambda_basic_execution
File: /modules/backend/iam.tf:17-20
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-274
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role.abnmo_svm_github_oidc_lambda_deploy
File: /modules/backend/iam.tf:23-44
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-274
Check: CKV_AWS_61: "Ensure AWS IAM policy does not allow assume role permission across all services"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role.abnmo_svm_github_oidc_lambda_deploy
File: /modules/backend/iam.tf:23-44
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45
Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role.abnmo_svm_github_oidc_lambda_deploy
File: /modules/backend/iam.tf:23-44
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-44
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
Check: CKV_AWS_63: "Ensure no IAM policies documents allow "" as a statement's actions"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-48
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
Check: CKV_AWS_62: "Ensure IAM policies that allow full "-" administrative privileges are not created"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "" as a statement's resource for restrictable actions"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_policy.lambda_deploy_policy
File: /modules/backend/iam.tf:46-63
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
PASSED for resource: module.abnmo_svm_backend["development"].aws_iam_role_policy_attachment.attach_deploy_policy
File: /modules/backend/iam.tf:65-68
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-274
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
PASSED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
PASSED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363
Check: CKV_AWS_45: "Ensure no hard-coded secrets exist in lambda environment"
PASSED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-3
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
PASSED for resource: aws_security_group.database_sg
File: /security-groups.tf:2-34
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
PASSED for resource: aws_security_group.database_sg
File: /security-groups.tf:2-34
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
PASSED for resource: aws_security_group.database_sg
File: /security-groups.tf:2-34
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
PASSED for resource: aws_security_group.database_sg
File: /security-groups.tf:2-34
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.database["development"]
File: /ec2-databases.tf:26-49
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
26 | resource "aws_instance" "database" {
27 | for_each = var.database_environments
28 |
29 | ami = "ami-0c614dee691cbbf37" # Amazon Linux 2
30 | instance_type = "t2.micro"
31 | vpc_security_group_ids = [aws_security_group.database_sg.id]
32 | subnet_id = local.database_configs[each.key].subnet_id
33 | iam_instance_profile = aws_iam_instance_profile.ssm_instance_profile.name
34 |
35 | user_data = base64encode(templatefile("${path.module}/scripts/init-database.sh", {
36 | db_name = local.database_configs[each.key].db_name
37 | db_user = local.database_configs[each.key].db_user
38 | db_password = local.database_configs[each.key].db_password
39 | db_admin_user = var.db_admin_user
40 | db_admin_password = var.db_admin_password
41 | root_password = var.mysql_root_password
42 | }))
43 |
44 | tags = {
45 | Name = "${var.project_name}-database-${each.key}"
46 | Environment = each.key
47 | Projeto = var.project_name
48 | }
49 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.database["development"]
File: /ec2-databases.tf:26-49
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances
26 | resource "aws_instance" "database" {
27 | for_each = var.database_environments
28 |
29 | ami = "ami-0c614dee691cbbf37" # Amazon Linux 2
30 | instance_type = "t2.micro"
31 | vpc_security_group_ids = [aws_security_group.database_sg.id]
32 | subnet_id = local.database_configs[each.key].subnet_id
33 | iam_instance_profile = aws_iam_instance_profile.ssm_instance_profile.name
34 |
35 | user_data = base64encode(templatefile("${path.module}/scripts/init-database.sh", {
36 | db_name = local.database_configs[each.key].db_name
37 | db_user = local.database_configs[each.key].db_user
38 | db_password = local.database_configs[each.key].db_password
39 | db_admin_user = var.db_admin_user
40 | db_admin_password = var.db_admin_password
41 | root_password = var.mysql_root_password
42 | }))
43 |
44 | tags = {
45 | Name = "${var.project_name}-database-${each.key}"
46 | Environment = each.key
47 | Projeto = var.project_name
48 | }
49 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.database["development"]
File: /ec2-databases.tf:26-49
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
26 | resource "aws_instance" "database" {
27 | for_each = var.database_environments
28 |
29 | ami = "ami-0c614dee691cbbf37" # Amazon Linux 2
30 | instance_type = "t2.micro"
31 | vpc_security_group_ids = [aws_security_group.database_sg.id]
32 | subnet_id = local.database_configs[each.key].subnet_id
33 | iam_instance_profile = aws_iam_instance_profile.ssm_instance_profile.name
34 |
35 | user_data = base64encode(templatefile("${path.module}/scripts/init-database.sh", {
36 | db_name = local.database_configs[each.key].db_name
37 | db_user = local.database_configs[each.key].db_user
38 | db_password = local.database_configs[each.key].db_password
39 | db_admin_user = var.db_admin_user
40 | db_admin_password = var.db_admin_password
41 | root_password = var.mysql_root_password
42 | }))
43 |
44 | tags = {
45 | Name = "${var.project_name}-database-${each.key}"
46 | Environment = each.key
47 | Projeto = var.project_name
48 | }
49 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.database["development"]
File: /ec2-databases.tf:26-49
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
26 | resource "aws_instance" "database" {
27 | for_each = var.database_environments
28 |
29 | ami = "ami-0c614dee691cbbf37" # Amazon Linux 2
30 | instance_type = "t2.micro"
31 | vpc_security_group_ids = [aws_security_group.database_sg.id]
32 | subnet_id = local.database_configs[each.key].subnet_id
33 | iam_instance_profile = aws_iam_instance_profile.ssm_instance_profile.name
34 |
35 | user_data = base64encode(templatefile("${path.module}/scripts/init-database.sh", {
36 | db_name = local.database_configs[each.key].db_name
37 | db_user = local.database_configs[each.key].db_user
38 | db_password = local.database_configs[each.key].db_password
39 | db_admin_user = var.db_admin_user
40 | db_admin_password = var.db_admin_password
41 | root_password = var.mysql_root_password
42 | }))
43 |
44 | tags = {
45 | Name = "${var.project_name}-database-${each.key}"
46 | Environment = each.key
47 | Projeto = var.project_name
48 | }
49 | }
Check: CKV_AWS_237: "Ensure Create before destroy for API Gateway"
FAILED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_rest_api.this
File: /modules/backend/api-gateway.tf:2-9
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-enables-create-before-destroy
2 | resource "aws_api_gateway_rest_api" "this" {
3 | name = "${var.project_name}-${var.environment}-api"
4 | description = "API Gateway for ${var.project_name}-${var.environment}"
5 |
6 | endpoint_configuration {
7 | types = ["REGIONAL"]
8 | }
9 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_method.proxy
File: /modules/backend/api-gateway.tf:19-24
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set
19 | resource "aws_api_gateway_method" "proxy" {
20 | rest_api_id = aws_api_gateway_rest_api.this.id
21 | resource_id = aws_api_gateway_resource.proxy.id
22 | http_method = "ANY"
23 | authorization = "NONE"
24 | }
Check: CKV_AWS_59: "Ensure there is no open access to back-end resources through API"
FAILED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_method.proxy_root
File: /modules/backend/api-gateway.tf:27-32
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-6-api-gateway-authorizer-set
27 | resource "aws_api_gateway_method" "proxy_root" {
28 | rest_api_id = aws_api_gateway_rest_api.this.id
29 | resource_id = aws_api_gateway_rest_api.this.root_resource_id
30 | http_method = "ANY"
31 | authorization = "NONE"
32 | }
Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
FAILED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_stage.this
File: /modules/backend/api-gateway.tf:93-97
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-api-gateway-caching-is-enabled
93 | resource "aws_api_gateway_stage" "this" {
94 | deployment_id = aws_api_gateway_deployment.this.id
95 | rest_api_id = aws_api_gateway_rest_api.this.id
96 | stage_name = var.environment
97 | }
Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
FAILED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_stage.this
File: /modules/backend/api-gateway.tf:93-97
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-15
93 | resource "aws_api_gateway_stage" "this" {
94 | deployment_id = aws_api_gateway_deployment.this.id
95 | rest_api_id = aws_api_gateway_rest_api.this.id
96 | stage_name = var.environment
97 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_stage.this
File: /modules/backend/api-gateway.tf:93-97
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-17
93 | resource "aws_api_gateway_stage" "this" {
94 | deployment_id = aws_api_gateway_deployment.this.id
95 | rest_api_id = aws_api_gateway_rest_api.this.id
96 | stage_name = var.environment
97 | }
Check: CKV_AWS_206: "Ensure API Gateway Domain uses a modern security Policy"
FAILED for resource: module.abnmo_svm_backend["development"].aws_api_gateway_domain_name.api[0]
File: /modules/backend/api-gateway.tf:100-114
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-domain-uses-a-modern-security-policy
100 | resource "aws_api_gateway_domain_name" "api" {
101 | count = var.custom_domain_name != null ? 1 : 0
102 |
103 | domain_name = var.custom_domain_name
104 | regional_certificate_arn = var.certificate_arn
105 |
106 | endpoint_configuration {
107 | types = ["REGIONAL"]
108 | }
109 |
110 | tags = {
111 | Name = "${var.project_name}-${var.environment}-api-domain"
112 | Environment = var.environment
113 | }
114 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
1 | resource "aws_lambda_function" "this" {
2 | function_name = "${var.project_name}-lambda-${var.environment}"
3 | role = aws_iam_role.lambda_exec_role.arn
4 | handler = var.lambda_handler
5 | runtime = var.lambda_runtime
6 | filename = "${path.module}/placeholder.zip"
7 | source_code_hash = filebase64sha256("${path.module}/placeholder.zip")
8 | timeout = var.timeout
9 |
10 | environment {
11 | variables = var.environment_variables
12 | }
13 |
14 | dynamic "vpc_config" {
15 | for_each = length(var.private_subnet_ids) > 0 && length(var.security_group_ids) > 0 ? [1] : []
16 | content {
17 | subnet_ids = var.private_subnet_ids
18 | security_group_ids = var.security_group_ids
19 | }
20 | }
21 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
1 | resource "aws_lambda_function" "this" {
2 | function_name = "${var.project_name}-lambda-${var.environment}"
3 | role = aws_iam_role.lambda_exec_role.arn
4 | handler = var.lambda_handler
5 | runtime = var.lambda_runtime
6 | filename = "${path.module}/placeholder.zip"
7 | source_code_hash = filebase64sha256("${path.module}/placeholder.zip")
8 | timeout = var.timeout
9 |
10 | environment {
11 | variables = var.environment_variables
12 | }
13 |
14 | dynamic "vpc_config" {
15 | for_each = length(var.private_subnet_ids) > 0 && length(var.security_group_ids) > 0 ? [1] : []
16 | content {
17 | subnet_ids = var.private_subnet_ids
18 | security_group_ids = var.security_group_ids
19 | }
20 | }
21 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
1 | resource "aws_lambda_function" "this" {
2 | function_name = "${var.project_name}-lambda-${var.environment}"
3 | role = aws_iam_role.lambda_exec_role.arn
4 | handler = var.lambda_handler
5 | runtime = var.lambda_runtime
6 | filename = "${path.module}/placeholder.zip"
7 | source_code_hash = filebase64sha256("${path.module}/placeholder.zip")
8 | timeout = var.timeout
9 |
10 | environment {
11 | variables = var.environment_variables
12 | }
13 |
14 | dynamic "vpc_config" {
15 | for_each = length(var.private_subnet_ids) > 0 && length(var.security_group_ids) > 0 ? [1] : []
16 | content {
17 | subnet_ids = var.private_subnet_ids
18 | security_group_ids = var.security_group_ids
19 | }
20 | }
21 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
1 | resource "aws_lambda_function" "this" {
2 | function_name = "${var.project_name}-lambda-${var.environment}"
3 | role = aws_iam_role.lambda_exec_role.arn
4 | handler = var.lambda_handler
5 | runtime = var.lambda_runtime
6 | filename = "${path.module}/placeholder.zip"
7 | source_code_hash = filebase64sha256("${path.module}/placeholder.zip")
8 | timeout = var.timeout
9 |
10 | environment {
11 | variables = var.environment_variables
12 | }
13 |
14 | dynamic "vpc_config" {
15 | for_each = length(var.private_subnet_ids) > 0 && length(var.security_group_ids) > 0 ? [1] : []
16 | content {
17 | subnet_ids = var.private_subnet_ids
18 | security_group_ids = var.security_group_ids
19 | }
20 | }
21 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: module.abnmo_svm_backend["development"].aws_lambda_function.this
File: /modules/backend/lambda.tf:1-21
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
1 | resource "aws_lambda_function" "this" {
2 | function_name = "${var.project_name}-lambda-${var.environment}"
3 | role = aws_iam_role.lambda_exec_role.arn
4 | handler = var.lambda_handler
5 | runtime = var.lambda_runtime
6 | filename = "${path.module}/placeholder.zip"
7 | source_code_hash = filebase64sha256("${path.module}/placeholder.zip")
8 | timeout = var.timeout
9 |
10 | environment {
11 | variables = var.environment_variables
12 | }
13 |
14 | dynamic "vpc_config" {
15 | for_each = length(var.private_subnet_ids) > 0 && length(var.security_group_ids) > 0 ? [1] : []
16 | content {
17 | subnet_ids = var.private_subnet_ids
18 | security_group_ids = var.security_group_ids
19 | }
20 | }
21 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: module.abnmo_svm_backend["development"].aws_lambda_function_url.this
File: /modules/backend/lambda.tf:23-35
Calling File: /main.tf:95-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined
23 | resource "aws_lambda_function_url" "this" {
24 | function_name = aws_lambda_function.this.function_name
25 | authorization_type = var.authorization_type
26 |
27 | cors {
28 | allow_credentials = var.cors_allow_credentials
29 | allow_headers = var.cors_allow_headers
30 | allow_methods = var.cors_allow_methods
31 | allow_origins = var.cors_allow_origins
32 | expose_headers = var.cors_expose_headers
33 | max_age = var.cors_max_age
34 | }
35 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.database_sg
File: /security-groups.tf:2-34
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
2 | resource "aws_security_group" "database_sg" {
3 | name = "${var.project_name}-database-sg"
4 | description = "Security group for database instances"
5 | vpc_id = aws_vpc.abnmo_svm_vpc.id
6 |
7 | # MySQL access
8 | ingress {
9 | from_port = 3306
10 | to_port = 3306
11 | protocol = "tcp"
12 | cidr_blocks = ["0.0.0.0/0"]
13 | }
14 |
15 | # HTTPS for SSM
16 | ingress {
17 | from_port = 443
18 | to_port = 443
19 | protocol = "tcp"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | # All outbound traffic
24 | egress {
25 | from_port = 0
26 | to_port = 0
27 | protocol = "-1"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | tags = {
32 | Name = "${var.project_name}-database-sg"
33 | }
34 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.database_sg
File: /security-groups.tf:2-34
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382
2 | resource "aws_security_group" "database_sg" {
3 | name = "${var.project_name}-database-sg"
4 | description = "Security group for database instances"
5 | vpc_id = aws_vpc.abnmo_svm_vpc.id
6 |
7 | # MySQL access
8 | ingress {
9 | from_port = 3306
10 | to_port = 3306
11 | protocol = "tcp"
12 | cidr_blocks = ["0.0.0.0/0"]
13 | }
14 |
15 | # HTTPS for SSM
16 | ingress {
17 | from_port = 443
18 | to_port = 443
19 | protocol = "tcp"
20 | cidr_blocks = ["0.0.0.0/0"]
21 | }
22 |
23 | # All outbound traffic
24 | egress {
25 | from_port = 0
26 | to_port = 0
27 | protocol = "-1"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | tags = {
32 | Name = "${var.project_name}-database-sg"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnet_a
File: /vpc.tf:24-34
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default
24 | resource "aws_subnet" "public_subnet_a" {
25 | vpc_id = aws_vpc.abnmo_svm_vpc.id
26 | cidr_block = "10.0.1.0/24"
27 | availability_zone = "us-east-1a"
28 | map_public_ip_on_launch = true
29 |
30 | tags = {
31 | Name = "${var.project_name}-public-subnet-a"
32 | Type = "public"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnet_b
File: /vpc.tf:36-46
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default
36 | resource "aws_subnet" "public_subnet_b" {
37 | vpc_id = aws_vpc.abnmo_svm_vpc.id
38 | cidr_block = "10.0.2.0/24"
39 | availability_zone = "us-east-1b"
40 | map_public_ip_on_launch = true
41 |
42 | tags = {
43 | Name = "${var.project_name}-public-subnet-b"
44 | Type = "public"
45 | }
46 | }