Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CC-3020: Lambda function for monitoring certificates. #9061

Merged
merged 13 commits into from
Dec 16, 2024
Merged

CC-3020: Lambda function for monitoring certificates. #9061

merged 13 commits into from
Dec 16, 2024

Conversation

mmgovuk
Copy link
Contributor

@mmgovuk mmgovuk commented Dec 12, 2024

CC-3020: Lambda function for monitoring certificates.

@mmgovuk mmgovuk self-assigned this Dec 12, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:04:55Z INFO [vulndb] Need to update DB
2024-12-12T10:04:55Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T10:04:55Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:04:57Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:04:57Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T10:04:57Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T10:04:57Z INFO [misconfig] Need to update the built-in checks
2024-12-12T10:04:57Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T10:04:57Z INFO [secret] Secret scanning is enabled
2024-12-12T10:04:57Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:04:57Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:04:59Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T10:04:59Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="alert_email, networking"
2024-12-12T10:04:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:04:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:04:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:05:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T10:05:00Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T10:05:03Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:05:03Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:05:04Z INFO Number of language-specific files num=0
2024-12-12T10:05:04Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 10:05:06,714 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 956, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-checker.tf:43-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		43 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		44 |   name = "acm-certificate-alerts"
		45 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename         = "certificate_monitor.zip"
		55 |   function_name    = "acm_certificate_monitor"
		56 |   role            = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler         = "lambda_function.lambda_handler"
		58 |   runtime         = "python3.11"
		59 |   timeout         = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename         = "certificate_monitor.zip"
		55 |   function_name    = "acm_certificate_monitor"
		56 |   role            = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler         = "lambda_function.lambda_handler"
		58 |   runtime         = "python3.11"
		59 |   timeout         = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename         = "certificate_monitor.zip"
		55 |   function_name    = "acm_certificate_monitor"
		56 |   role            = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler         = "lambda_function.lambda_handler"
		58 |   runtime         = "python3.11"
		59 |   timeout         = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename         = "certificate_monitor.zip"
		55 |   function_name    = "acm_certificate_monitor"
		56 |   role            = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler         = "lambda_function.lambda_handler"
		58 |   runtime         = "python3.11"
		59 |   timeout         = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename         = "certificate_monitor.zip"
		55 |   function_name    = "acm_certificate_monitor"
		56 |   role            = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler         = "lambda_function.lambda_handler"
		58 |   runtime         = "python3.11"
		59 |   timeout         = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename         = "certificate_monitor.zip"
		55 |   function_name    = "acm_certificate_monitor"
		56 |   role            = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler         = "lambda_function.lambda_handler"
		58 |   runtime         = "python3.11"
		59 |   timeout         = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:04:55Z	INFO	[vulndb] Need to update DB
2024-12-12T10:04:55Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T10:04:55Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:04:57Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:04:57Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T10:04:57Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T10:04:57Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T10:04:57Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T10:04:57Z	INFO	[secret] Secret scanning is enabled
2024-12-12T10:04:57Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:04:57Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:04:59Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T10:04:59Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="alert_email, networking"
2024-12-12T10:04:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:04:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:04:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:05:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:05:00Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T10:05:00Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T10:05:03Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:05:03Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:05:04Z	INFO	Number of language-specific files	num=0
2024-12-12T10:05:04Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:18:43Z INFO [vulndb] Need to update DB
2024-12-12T10:18:43Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T10:18:43Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:18:45Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:18:45Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T10:18:45Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T10:18:45Z INFO [misconfig] Need to update the built-in checks
2024-12-12T10:18:45Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T10:18:45Z INFO [secret] Secret scanning is enabled
2024-12-12T10:18:45Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:18:45Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:18:46Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T10:18:46Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T10:18:47Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T10:18:50Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:18:50Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:18:51Z INFO Number of language-specific files num=0
2024-12-12T10:18:51Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 10:18:54,337 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 956, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-checker.tf:43-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		43 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		44 |   name = "acm-certificate-alerts"
		45 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename      = "certificate_monitor.zip"
		55 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		56 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler       = "lambda_function.lambda_handler"
		58 |   runtime       = "python3.11"
		59 |   timeout       = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 |   tags = merge(local.tags, {
		67 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   })
		69 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename      = "certificate_monitor.zip"
		55 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		56 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler       = "lambda_function.lambda_handler"
		58 |   runtime       = "python3.11"
		59 |   timeout       = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 |   tags = merge(local.tags, {
		67 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   })
		69 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename      = "certificate_monitor.zip"
		55 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		56 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler       = "lambda_function.lambda_handler"
		58 |   runtime       = "python3.11"
		59 |   timeout       = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 |   tags = merge(local.tags, {
		67 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   })
		69 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename      = "certificate_monitor.zip"
		55 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		56 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler       = "lambda_function.lambda_handler"
		58 |   runtime       = "python3.11"
		59 |   timeout       = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 |   tags = merge(local.tags, {
		67 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   })
		69 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename      = "certificate_monitor.zip"
		55 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		56 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler       = "lambda_function.lambda_handler"
		58 |   runtime       = "python3.11"
		59 |   timeout       = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 |   tags = merge(local.tags, {
		67 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   })
		69 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:53-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		53 | resource "aws_lambda_function" "certificate_monitor" {
		54 |   filename      = "certificate_monitor.zip"
		55 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		56 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		57 |   handler       = "lambda_function.lambda_handler"
		58 |   runtime       = "python3.11"
		59 |   timeout       = 30
		60 | 
		61 |   environment {
		62 |     variables = {
		63 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		64 |     }
		65 |   }
		66 |   tags = merge(local.tags, {
		67 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   })
		69 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:18:43Z	INFO	[vulndb] Need to update DB
2024-12-12T10:18:43Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T10:18:43Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:18:45Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:18:45Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T10:18:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T10:18:45Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T10:18:45Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T10:18:45Z	INFO	[secret] Secret scanning is enabled
2024-12-12T10:18:45Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:18:45Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:18:46Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T10:18:46Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:18:47Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T10:18:47Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T10:18:50Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:18:50Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:18:51Z	INFO	Number of language-specific files	num=0
2024-12-12T10:18:51Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:27:29Z INFO [vulndb] Need to update DB
2024-12-12T10:27:29Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T10:27:29Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:27:31Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:27:31Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T10:27:31Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T10:27:31Z INFO [misconfig] Need to update the built-in checks
2024-12-12T10:27:31Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T10:27:31Z INFO [secret] Secret scanning is enabled
2024-12-12T10:27:31Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:27:31Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:27:33Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T10:27:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T10:27:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:27:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:27:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:27:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T10:27:34Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T10:27:37Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:27:37Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:27:38Z INFO Number of language-specific files num=0
2024-12-12T10:27:38Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 10:27:40,716 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-checker.tf:49-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		49 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		50 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		51 |   tags = merge(local.tags, {
		52 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		53 |   })
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:65-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		65 | resource "aws_lambda_function" "certificate_monitor" {
		66 |   filename      = "certificate_monitor.zip"
		67 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		69 |   handler       = "lambda_function.lambda_handler"
		70 |   runtime       = "python3.11"
		71 |   timeout       = 30
		72 | 
		73 |   environment {
		74 |     variables = {
		75 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		76 |     }
		77 |   }
		78 |   tags = merge(local.tags, {
		79 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		80 |   })
		81 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:65-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		65 | resource "aws_lambda_function" "certificate_monitor" {
		66 |   filename      = "certificate_monitor.zip"
		67 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		69 |   handler       = "lambda_function.lambda_handler"
		70 |   runtime       = "python3.11"
		71 |   timeout       = 30
		72 | 
		73 |   environment {
		74 |     variables = {
		75 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		76 |     }
		77 |   }
		78 |   tags = merge(local.tags, {
		79 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		80 |   })
		81 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:65-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		65 | resource "aws_lambda_function" "certificate_monitor" {
		66 |   filename      = "certificate_monitor.zip"
		67 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		69 |   handler       = "lambda_function.lambda_handler"
		70 |   runtime       = "python3.11"
		71 |   timeout       = 30
		72 | 
		73 |   environment {
		74 |     variables = {
		75 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		76 |     }
		77 |   }
		78 |   tags = merge(local.tags, {
		79 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		80 |   })
		81 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:65-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		65 | resource "aws_lambda_function" "certificate_monitor" {
		66 |   filename      = "certificate_monitor.zip"
		67 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		69 |   handler       = "lambda_function.lambda_handler"
		70 |   runtime       = "python3.11"
		71 |   timeout       = 30
		72 | 
		73 |   environment {
		74 |     variables = {
		75 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		76 |     }
		77 |   }
		78 |   tags = merge(local.tags, {
		79 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		80 |   })
		81 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:65-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		65 | resource "aws_lambda_function" "certificate_monitor" {
		66 |   filename      = "certificate_monitor.zip"
		67 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		69 |   handler       = "lambda_function.lambda_handler"
		70 |   runtime       = "python3.11"
		71 |   timeout       = 30
		72 | 
		73 |   environment {
		74 |     variables = {
		75 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		76 |     }
		77 |   }
		78 |   tags = merge(local.tags, {
		79 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		80 |   })
		81 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-checker.tf:65-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		65 | resource "aws_lambda_function" "certificate_monitor" {
		66 |   filename      = "certificate_monitor.zip"
		67 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		68 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		69 |   handler       = "lambda_function.lambda_handler"
		70 |   runtime       = "python3.11"
		71 |   timeout       = 30
		72 | 
		73 |   environment {
		74 |     variables = {
		75 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		76 |     }
		77 |   }
		78 |   tags = merge(local.tags, {
		79 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		80 |   })
		81 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:27:29Z	INFO	[vulndb] Need to update DB
2024-12-12T10:27:29Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T10:27:29Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:27:31Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:27:31Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T10:27:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T10:27:31Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T10:27:31Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T10:27:31Z	INFO	[secret] Secret scanning is enabled
2024-12-12T10:27:31Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:27:31Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:27:33Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T10:27:33Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T10:27:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:27:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:27:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:27:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:27:34Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T10:27:34Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T10:27:37Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:27:37Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:27:38Z	INFO	Number of language-specific files	num=0
2024-12-12T10:27:38Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:33:03Z INFO [vulndb] Need to update DB
2024-12-12T10:33:03Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T10:33:03Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:33:06Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:33:06Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T10:33:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T10:33:06Z INFO [misconfig] Need to update the built-in checks
2024-12-12T10:33:06Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T10:33:06Z INFO [secret] Secret scanning is enabled
2024-12-12T10:33:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:33:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:33:08Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T10:33:08Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T10:33:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:33:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:33:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:33:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T10:33:09Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T10:33:12Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:33:12Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:33:13Z INFO Number of language-specific files num=0
2024-12-12T10:33:13Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 10:33:16,491 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.11"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.11"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.11"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.11"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.11"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.11"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T10:33:03Z	INFO	[vulndb] Need to update DB
2024-12-12T10:33:03Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T10:33:03Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:33:06Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T10:33:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T10:33:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T10:33:06Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T10:33:06Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T10:33:06Z	INFO	[secret] Secret scanning is enabled
2024-12-12T10:33:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T10:33:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T10:33:08Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T10:33:08Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T10:33:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T10:33:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T10:33:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T10:33:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T10:33:09Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T10:33:09Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T10:33:12Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T10:33:12Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T10:33:13Z	INFO	Number of language-specific files	num=0
2024-12-12T10:33:13Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk had a problem deploying to ccms-ebs-development December 12, 2024 15:50 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T15:50:37Z INFO [vulndb] Need to update DB
2024-12-12T15:50:37Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T15:50:37Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:50:39Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:50:39Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T15:50:39Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T15:50:39Z INFO [misconfig] Need to update the built-in checks
2024-12-12T15:50:39Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T15:50:39Z INFO [secret] Secret scanning is enabled
2024-12-12T15:50:39Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T15:50:39Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T15:50:41Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T15:50:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T15:50:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T15:50:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T15:50:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T15:50:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T15:50:42Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T15:50:45Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T15:50:45Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T15:50:45Z INFO Number of language-specific files num=0
2024-12-12T15:50:45Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 15:50:48,247 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T15:50:37Z	INFO	[vulndb] Need to update DB
2024-12-12T15:50:37Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T15:50:37Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:50:39Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T15:50:39Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T15:50:39Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T15:50:39Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T15:50:39Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T15:50:39Z	INFO	[secret] Secret scanning is enabled
2024-12-12T15:50:39Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T15:50:39Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T15:50:41Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T15:50:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T15:50:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T15:50:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T15:50:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T15:50:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T15:50:42Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T15:50:42Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T15:50:45Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T15:50:45Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T15:50:45Z	INFO	Number of language-specific files	num=0
2024-12-12T15:50:45Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to ccms-ebs-development December 12, 2024 15:59 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T16:00:06Z INFO [vulndb] Need to update DB
2024-12-12T16:00:06Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T16:00:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:00:09Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:00:09Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T16:00:09Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T16:00:09Z INFO [misconfig] Need to update the built-in checks
2024-12-12T16:00:09Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T16:00:15Z INFO [secret] Secret scanning is enabled
2024-12-12T16:00:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T16:00:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T16:00:17Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T16:00:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T16:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T16:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T16:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T16:00:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T16:00:18Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T16:00:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T16:00:21Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T16:00:22Z INFO Number of language-specific files num=0
2024-12-12T16:00:22Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 16:00:24,820 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		70 |     }
		71 |   }
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		74 |   })
		75 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T16:00:06Z	INFO	[vulndb] Need to update DB
2024-12-12T16:00:06Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T16:00:06Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:00:09Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:00:09Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T16:00:09Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T16:00:09Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T16:00:09Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T16:00:15Z	INFO	[secret] Secret scanning is enabled
2024-12-12T16:00:15Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T16:00:15Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T16:00:17Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T16:00:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T16:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T16:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T16:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T16:00:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:00:18Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T16:00:18Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T16:00:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T16:00:21Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T16:00:22Z	INFO	Number of language-specific files	num=0
2024-12-12T16:00:22Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk had a problem deploying to ccms-ebs-development December 12, 2024 16:44 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T16:45:08Z INFO [vulndb] Need to update DB
2024-12-12T16:45:08Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T16:45:08Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:45:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:45:10Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T16:45:10Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T16:45:10Z INFO [misconfig] Need to update the built-in checks
2024-12-12T16:45:10Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T16:45:11Z INFO [secret] Secret scanning is enabled
2024-12-12T16:45:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T16:45:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T16:45:12Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T16:45:12Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T16:45:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T16:45:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T16:45:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T16:45:13Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T16:45:16Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T16:45:16Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T16:45:17Z INFO Number of language-specific files num=0
2024-12-12T16:45:17Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 16:45:20,511 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T16:45:08Z	INFO	[vulndb] Need to update DB
2024-12-12T16:45:08Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T16:45:08Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:45:10Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:45:10Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T16:45:10Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T16:45:10Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T16:45:10Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-12T16:45:11Z	INFO	[secret] Secret scanning is enabled
2024-12-12T16:45:11Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T16:45:11Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T16:45:12Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T16:45:12Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T16:45:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T16:45:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T16:45:12Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T16:45:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:45:13Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T16:45:13Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T16:45:16Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T16:45:16Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T16:45:17Z	INFO	Number of language-specific files	num=0
2024-12-12T16:45:17Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to ccms-ebs-development December 12, 2024 16:51 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T16:51:14Z INFO [vulndb] Need to update DB
2024-12-12T16:51:14Z INFO [vulndb] Downloading vulnerability DB...
2024-12-12T16:51:14Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:51:16Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:51:16Z INFO [vuln] Vulnerability scanning is enabled
2024-12-12T16:51:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-12T16:51:16Z INFO [misconfig] Need to update the built-in checks
2024-12-12T16:51:16Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T16:51:16Z INFO [secret] Secret scanning is enabled
2024-12-12T16:51:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T16:51:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T16:51:17Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-12T16:51:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:19Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-12T16:51:19Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-12T16:51:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T16:51:22Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T16:51:23Z INFO Number of language-specific files num=0
2024-12-12T16:51:23Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-12 16:51:26,230 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-12T16:51:14Z	INFO	[vulndb] Need to update DB
2024-12-12T16:51:14Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T16:51:14Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:51:16Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-12T16:51:16Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-12T16:51:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-12T16:51:16Z	INFO	[misconfig] Need to update the built-in checks
2024-12-12T16:51:16Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-12T16:51:16Z	INFO	[secret] Secret scanning is enabled
2024-12-12T16:51:16Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-12T16:51:16Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-12T16:51:17Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-12T16:51:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-12T16:51:19Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-12T16:51:19Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-12T16:51:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-12T16:51:22Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-12T16:51:23Z	INFO	Number of language-specific files	num=0
2024-12-12T16:51:23Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-13T09:16:11Z INFO [vulndb] Need to update DB
2024-12-13T09:16:11Z INFO [vulndb] Downloading vulnerability DB...
2024-12-13T09:16:11Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:16:13Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:16:13Z INFO [vuln] Vulnerability scanning is enabled
2024-12-13T09:16:13Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-13T09:16:13Z INFO [misconfig] Need to update the built-in checks
2024-12-13T09:16:13Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-13T09:16:13Z INFO [secret] Secret scanning is enabled
2024-12-13T09:16:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T09:16:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T09:16:15Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-13T09:16:15Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-13T09:16:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-13T09:16:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-13T09:16:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-13T09:16:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-13T09:16:16Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-13T09:16:19Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-13T09:16:19Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T09:16:20Z INFO Number of language-specific files num=0
2024-12-13T09:16:20Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-13 09:16:22,691 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename      = "./lambda/certificate_monitor.zip"
		61 |   function_name = "${local.application_name}-${local.environment}-certificate-monitor"
		62 |   role          = aws_iam_role.lambda_certificate_monitor_role.arn
		63 |   handler       = "lambda_function.lambda_handler"
		64 |   runtime       = "python3.13"
		65 |   timeout       = 30
		66 | 
		67 |   environment {
		68 |     variables = {
		69 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		70 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		71 |     }
		72 |   }
		73 |   tags = merge(local.tags, {
		74 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		75 |   })
		76 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-13T09:16:11Z	INFO	[vulndb] Need to update DB
2024-12-13T09:16:11Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-13T09:16:11Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:16:13Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:16:13Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-13T09:16:13Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-13T09:16:13Z	INFO	[misconfig] Need to update the built-in checks
2024-12-13T09:16:13Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-13T09:16:13Z	INFO	[secret] Secret scanning is enabled
2024-12-13T09:16:13Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T09:16:13Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T09:16:15Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-13T09:16:15Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-13T09:16:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-13T09:16:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-13T09:16:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-13T09:16:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:16:16Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-13T09:16:16Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-13T09:16:19Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-13T09:16:19Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T09:16:20Z	INFO	Number of language-specific files	num=0
2024-12-13T09:16:20Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-13T09:24:14Z INFO [vulndb] Need to update DB
2024-12-13T09:24:14Z INFO [vulndb] Downloading vulnerability DB...
2024-12-13T09:24:14Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:24:16Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:24:16Z INFO [vuln] Vulnerability scanning is enabled
2024-12-13T09:24:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-13T09:24:16Z INFO [misconfig] Need to update the built-in checks
2024-12-13T09:24:16Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-13T09:24:16Z INFO [secret] Secret scanning is enabled
2024-12-13T09:24:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T09:24:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T09:24:18Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-13T09:24:18Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-13T09:24:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-13T09:24:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-13T09:24:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-13T09:24:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-13T09:24:19Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-13T09:24:22Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T09:24:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-13T09:24:22Z INFO Number of language-specific files num=0
2024-12-13T09:24:22Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-13 09:24:25,413 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip"))
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip"))
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip"))
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip"))
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip"))
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = base64sha256(file("./lambda/certificate_monitor.zip"))
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-13T09:24:14Z	INFO	[vulndb] Need to update DB
2024-12-13T09:24:14Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-13T09:24:14Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:24:16Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:24:16Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-13T09:24:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-13T09:24:16Z	INFO	[misconfig] Need to update the built-in checks
2024-12-13T09:24:16Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-13T09:24:16Z	INFO	[secret] Secret scanning is enabled
2024-12-13T09:24:16Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T09:24:16Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T09:24:18Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-13T09:24:18Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-13T09:24:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-13T09:24:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-13T09:24:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-13T09:24:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:24:19Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-13T09:24:19Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-13T09:24:22Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T09:24:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-13T09:24:22Z	INFO	Number of language-specific files	num=0
2024-12-13T09:24:22Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to ccms-ebs-development December 13, 2024 09:26 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-13T09:26:44Z INFO [vulndb] Need to update DB
2024-12-13T09:26:44Z INFO [vulndb] Downloading vulnerability DB...
2024-12-13T09:26:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:26:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:26:46Z INFO [vuln] Vulnerability scanning is enabled
2024-12-13T09:26:46Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-13T09:26:46Z INFO [misconfig] Need to update the built-in checks
2024-12-13T09:26:46Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-13T09:26:46Z INFO [secret] Secret scanning is enabled
2024-12-13T09:26:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T09:26:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T09:26:48Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-13T09:26:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-13T09:26:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-13T09:26:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-13T09:26:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-13T09:26:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-13T09:26:49Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-13T09:26:52Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-13T09:26:52Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T09:26:53Z INFO Number of language-specific files num=0
2024-12-13T09:26:53Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-13 09:26:55,569 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-13T09:26:44Z	INFO	[vulndb] Need to update DB
2024-12-13T09:26:44Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-13T09:26:44Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:26:46Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-13T09:26:46Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-13T09:26:46Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-13T09:26:46Z	INFO	[misconfig] Need to update the built-in checks
2024-12-13T09:26:46Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-13T09:26:46Z	INFO	[secret] Secret scanning is enabled
2024-12-13T09:26:46Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-13T09:26:46Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-13T09:26:48Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-13T09:26:48Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-13T09:26:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-13T09:26:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-13T09:26:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-13T09:26:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-13T09:26:49Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-13T09:26:49Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-13T09:26:52Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-13T09:26:52Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-13T09:26:53Z	INFO	Number of language-specific files	num=0
2024-12-13T09:26:53Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk marked this pull request as ready for review December 16, 2024 14:43
@mmgovuk mmgovuk requested review from a team as code owners December 16, 2024 14:43
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs

Running Trivy in terraform/environments/ccms-ebs
2024-12-16T14:44:46Z INFO [vulndb] Need to update DB
2024-12-16T14:44:46Z INFO [vulndb] Downloading vulnerability DB...
2024-12-16T14:44:46Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-16T14:44:48Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-16T14:44:48Z INFO [vuln] Vulnerability scanning is enabled
2024-12-16T14:44:48Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-16T14:44:48Z INFO [misconfig] Need to update the built-in checks
2024-12-16T14:44:48Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-16T14:44:48Z INFO [secret] Secret scanning is enabled
2024-12-16T14:44:48Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-16T14:44:48Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-16T14:44:50Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-16T14:44:50Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-16T14:44:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-16T14:44:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-16T14:44:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-16T14:44:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:51Z INFO [terraform scanner] Scanning root module file_path="modules"
2024-12-16T14:44:51Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2024-12-16T14:44:54Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-16T14:44:54Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-16T14:44:54Z INFO Number of language-specific files num=0
2024-12-16T14:44:54Z INFO Detected config files num=28

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-s3.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
287 │ bucket = "${local.application_name}-${local.environment}-shared"
288 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
294 │ bucket = "${local.application_name}-${local.environment}-payment-load"
295 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-16 14:44:57,109 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 955, Failed checks: 74, Skipped checks: 3

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.certificate_expiration_alerts
	File: /ccms-lambda-certificate-monitor.tf:46-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		46 | resource "aws_sns_topic" "certificate_expiration_alerts" {
		47 |   name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
		48 |   tags = merge(local.tags, {
		49 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		50 |   })
		51 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.certificate_monitor
	File: /ccms-lambda-certificate-monitor.tf:59-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		59 | resource "aws_lambda_function" "certificate_monitor" {
		60 |   filename         = "./lambda/certificate_monitor.zip"
		61 |   source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
		62 |   function_name    = "${local.application_name}-${local.environment}-certificate-monitor"
		63 |   role             = aws_iam_role.lambda_certificate_monitor_role.arn
		64 |   handler          = "lambda_function.lambda_handler"
		65 |   runtime          = "python3.13"
		66 |   timeout          = 30
		67 |   publish          = true
		68 | 
		69 |   environment {
		70 |     variables = {
		71 |       EXPIRY_DAYS   = local.application_data.accounts[local.environment].certificate_expiry_days
		72 |       SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
		73 |     }
		74 |   }
		75 |   tags = merge(local.tags, {
		76 |     Name = "${local.application_name}-${local.environment}-certificate-monitor"
		77 |   })
		78 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name        = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id      = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/functionV2.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 |   logging_config {
		72 |     log_format            = "JSON"
		73 |     application_log_level = "INFO"
		74 |     system_log_level      = "INFO"
		75 |   }
		76 | 
		77 |   tags = merge(local.tags, {
		78 |     Name = "${local.application_name}-${local.environment}-payment-load"
		79 |   })
		80 | 
		81 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-12-16T14:44:46Z	INFO	[vulndb] Need to update DB
2024-12-16T14:44:46Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-16T14:44:46Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-16T14:44:48Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-16T14:44:48Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-16T14:44:48Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-16T14:44:48Z	INFO	[misconfig] Need to update the built-in checks
2024-12-16T14:44:48Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-16T14:44:48Z	INFO	[secret] Secret scanning is enabled
2024-12-16T14:44:48Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-16T14:44:48Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-16T14:44:50Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-16T14:44:50Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-16T14:44:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2024-12-16T14:44:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2024-12-16T14:44:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2024-12-16T14:44:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-16T14:44:51Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2024-12-16T14:44:51Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2024-12-16T14:44:54Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2024-12-16T14:44:54Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-16T14:44:54Z	INFO	Number of language-specific files	num=0
2024-12-16T14:44:54Z	INFO	Detected config files	num=28

ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3internal           = false
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (HIGH: 3, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-s3.tf (terraform)
======================
Tests: 8 (SUCCESSES: 0, FAILURES: 8)
Failures: 8 (HIGH: 8, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:286-288
────────────────────────────────────────
 286 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
 287 │   bucket = "${local.application_name}-${local.environment}-shared"
 288 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ccms-s3.tf:293-295
────────────────────────────────────────
 293 ┌ resource "aws_s3_bucket" "lambda_payment_load" {
 294 │   bucket = "${local.application_name}-${local.environment}-payment-load"
 295 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk merged commit 075651a into main Dec 16, 2024
13 of 16 checks passed
@mmgovuk mmgovuk deleted the CC-3020/aws-certificates-expiry-date-check branch December 16, 2024 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sukeshreddyg sukeshreddyg sukeshreddyg approved these changes

Assignees

@mmgovuk mmgovuk

Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mmgovuk @sukeshreddyg