Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CC-2812: laa-oem: Added the S3 bucket, and the SSM document. #7750

Merged
merged 8 commits into from
Sep 12, 2024
Merged

CC-2812: laa-oem: Added the S3 bucket, and the SSM document. #7750

merged 8 commits into from
Sep 12, 2024

Conversation

mmgovuk
Copy link
Contributor

@mmgovuk mmgovuk commented Sep 12, 2024

CC-2812: laa-oem: Added the S3 bucket, and the SSM document.

@mmgovuk mmgovuk requested a review from SahidKhan89 September 12, 2024 10:35
@mmgovuk mmgovuk self-assigned this Sep 12, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-oem

Running Trivy in terraform/environments/laa-oem
2024-09-12T10:37:16Z INFO [db] Need to update DB
2024-09-12T10:37:16Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T10:37:18Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T10:37:18Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T10:37:18Z INFO Need to update the built-in policies
2024-09-12T10:37:18Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T10:37:19Z INFO [secret] Secret scanning is enabled
2024-09-12T10:37:19Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T10:37:19Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T10:37:19Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T10:37:19Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T10:37:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T10:37:20Z INFO Number of language-specific files num=0
2024-09-12T10:37:20Z INFO Detected config files num=13

oem_ec2_app.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_app.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_app" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_app
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_app_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_efs.tf:41-43
via oem_ec2_app_efs.tf:37-44 (egress)
via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_app_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_app_lb.tf (terraform)

Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app" {
2 │ name = "lb-${local.application_name}-app"
3 │ load_balancer_type = "application"
4 │ internal = false
5 │ security_groups = [aws_security_group.load_balancer_security_group.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
oem_ec2_app_lb.tf:4
via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
1 resource "aws_lb" "oem_app" {
2 name = "lb-${local.application_name}-app"
3 load_balancer_type = "application"
4 [ internal = false
5 security_groups = [aws_security_group.load_balancer_security_group.id]
6 subnets = data.aws_subnets.shared-public.ids
7
8 tags = local.tags
9 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb.tf:300-302
via oem_ec2_app_lb.tf:296-303 (egress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:258
via oem_ec2_app_lb.tf:254-259 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:272
via oem_ec2_app_lb.tf:268-273 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:293
via oem_ec2_app_lb.tf:289-294 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_lb_internal.tf (terraform)

Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app_internal" {
2 │ name = "lb-${local.application_name}-app-internal"
3 │ load_balancer_type = "application"
4 │ internal = true
5 │ security_groups = [aws_security_group.load_balancer_internal.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:300-302
via oem_ec2_app_lb_internal.tf:296-303 (egress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:258
via oem_ec2_app_lb_internal.tf:254-259 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:272
via oem_ec2_app_lb_internal.tf:268-273 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:293
via oem_ec2_app_lb_internal.tf:289-294 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_sg.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_sg.tf:14-16
via oem_ec2_app_sg.tf:10-17 (egress)
via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
1 resource "aws_security_group" "oem_app_security_group_1" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
96 }
────────────────────────────────────────

oem_ec2_db.tf (terraform)

Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_db.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_db" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_db
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_db_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_efs.tf:41-43
via oem_ec2_db_efs.tf:37-44 (egress)
via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_db_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_db_sg.tf (terraform)

Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_sg.tf:14-16
via oem_ec2_db_sg.tf:10-17 (egress)
via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
1 resource "aws_security_group" "oem_db_security_group" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
88 }
────────────────────────────────────────

oem_ec2_wl.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_wl.tf:11-58
────────────────────────────────────────
11 ┌ resource "aws_instance" "oem_wl" {
12 │ count = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
13 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
14 │ associate_public_ip_address = false
15 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
16 │ ebs_optimized = true
17 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
18 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
19 └ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
..
────────────────────────────────────────

oem_ec2_wl_sg.tf (terraform)

Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_wl_sg.tf:21-23
via oem_ec2_wl_sg.tf:17-24 (egress)
via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
7 resource "aws_security_group" "oem_wl_security_group_1" {
.
21 ┌ cidr_blocks = [
22 │ "0.0.0.0/0"
23 └ ]
..
79 }
────────────────────────────────────────

oem_s3.tf (terraform)

Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-oem

*****************************

Running Checkov in terraform/environments/laa-oem
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 182, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_app
	File: /oem_ec2_app.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_app" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-app.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_app_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-app"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_app_security_group_1.id, aws_security_group.oem_app_security_group_2.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     iops                  = 3100
		32 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-app-root",
		39 |     "volume-attach-host"   = "app",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-app", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-app",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_efs_sg
	File: /oem_ec2_app_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_app_efs_sg" {
		22 |   name_prefix = "${local.application_name}-app-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-app-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_security_group
	File: /oem_ec2_app_lb.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_internal
	File: /oem_ec2_app_lb_internal.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_1
	File: /oem_ec2_app_sg.tf:1-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_2
	File: /oem_ec2_app_sg.tf:98-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_db
	File: /oem_ec2_db.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_db" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-db.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_db_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-db"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_db_security_group.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		32 |     iops                  = 3100
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-db-root",
		39 |     "volume-attach-host"   = "db",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-db", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-db",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_efs_sg
	File: /oem_ec2_db_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_db_efs_sg" {
		22 |   name_prefix = "${local.application_name}-db-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-db-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_security_group
	File: /oem_ec2_db_sg.tf:1-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_wl[0]
	File: /oem_ec2_wl.tf:11-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		11 | resource "aws_instance" "oem_wl" {
		12 |   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
		13 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
		14 |   associate_public_ip_address = false
		15 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		16 |   ebs_optimized               = true
		17 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		18 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
		19 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
		20 |   monitoring                  = true
		21 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		22 |   user_data_replace_on_change = true
		23 |   user_data = base64encode(templatefile("./templates/oem-user-data-wl.sh", {
		24 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		25 |     hostname = "laa-oem-wl"
		26 |   }))
		27 |   vpc_security_group_ids = [aws_security_group.oem_wl_security_group_1[count.index].id]
		28 | 
		29 |   root_block_device {
		30 |     delete_on_termination = true
		31 |     encrypted             = true
		32 |     iops                  = 3100
		33 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		34 |     volume_size           = 12
		35 |     volume_type           = "gp3"
		36 |   }
		37 | 
		38 |   volume_tags = merge(tomap({
		39 |     "Name"                 = "${local.application_name}-wl-root",
		40 |     "volume-attach-host"   = "wl",
		41 |     "volume-attach-device" = "/dev/sda1",
		42 |     "volume-mount-path"    = "/",
		43 |     "volume-backup"        = true
		44 |   }), local.tags)
		45 | 
		46 |   tags = merge(tomap({
		47 |     "Name"     = lower(format("ec2-%s-%s-wl", local.application_name, local.environment)),
		48 |     "hostname" = "${local.application_name}-wl",
		49 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		50 |   }), local.tags)
		51 | 
		52 |   lifecycle {
		53 |     ignore_changes = [
		54 |       volume_tags,
		55 |       user_data
		56 |     ]
		57 |   }
		58 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/laa-oem

*****************************

Running tflint in terraform/environments/laa-oem
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/laa-oem

*****************************

Running Trivy in terraform/environments/laa-oem
2024-09-12T10:37:16Z	INFO	[db] Need to update DB
2024-09-12T10:37:16Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T10:37:18Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T10:37:18Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T10:37:18Z	INFO	Need to update the built-in policies
2024-09-12T10:37:18Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T10:37:19Z	INFO	[secret] Secret scanning is enabled
2024-09-12T10:37:19Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T10:37:19Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T10:37:19Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T10:37:19Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T10:37:19Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T10:37:20Z	INFO	Number of language-specific files	num=0
2024-09-12T10:37:20Z	INFO	Detected config files	num=13

oem_ec2_app.tf (terraform)
==========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_app.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_app" {
  11ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
  12associate_public_ip_address = false
  13availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14ebs_optimized               = true
  15iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
  17key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
  18monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_app_efs.tf (terraform)
==============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_efs.tf:41-43
   via oem_ec2_app_efs.tf:37-44 (egress)
    via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_app_efs_sg" {
  ..   
  41cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_app_lb.tf (terraform)
=============================
Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app" {
   2name               = "lb-${local.application_name}-app"
   3load_balancer_type = "application"
   4internal           = false
   5security_groups    = [aws_security_group.load_balancer_security_group.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78tags = local.tags
   9 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 oem_ec2_app_lb.tf:4
   via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
   1   resource "aws_lb" "oem_app" {
   2     name               = "lb-${local.application_name}-app"
   3     load_balancer_type = "application"
   4 [   internal           = false
   5     security_groups    = [aws_security_group.load_balancer_security_group.id]
   6     subnets            = data.aws_subnets.shared-public.ids
   7   
   8     tags = local.tags
   9   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb.tf:300-302
   via oem_ec2_app_lb.tf:296-303 (egress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:258
   via oem_ec2_app_lb.tf:254-259 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:272
   via oem_ec2_app_lb.tf:268-273 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:293
   via oem_ec2_app_lb.tf:289-294 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_lb_internal.tf (terraform)
======================================
Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app_internal" {
   2 │   name               = "lb-${local.application_name}-app-internal"
   3 │   load_balancer_type = "application"
   4 │   internal           = true
   5 │   security_groups    = [aws_security_group.load_balancer_internal.id]
   6 │   subnets            = data.aws_subnets.shared-private.ids
   78 │   tags = local.tags
   9 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:300-302
   via oem_ec2_app_lb_internal.tf:296-303 (egress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:258
   via oem_ec2_app_lb_internal.tf:254-259 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:272
   via oem_ec2_app_lb_internal.tf:268-273 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:293
   via oem_ec2_app_lb_internal.tf:289-294 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_sg.tf (terraform)
=============================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_sg.tf:14-16
   via oem_ec2_app_sg.tf:10-17 (egress)
    via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_app_security_group_1" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  96   }
────────────────────────────────────────



oem_ec2_db.tf (terraform)
=========================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_db.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_db" {
  11 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
  12 │   associate_public_ip_address = false
  13 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14 │   ebs_optimized               = true
  15 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
  17 │   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
  18 └   monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_db_efs.tf (terraform)
=============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_efs.tf:41-43
   via oem_ec2_db_efs.tf:37-44 (egress)
    via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_db_efs_sg" {
  ..   
  41 ┌     cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_db_sg.tf (terraform)
============================
Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_sg.tf:14-16
   via oem_ec2_db_sg.tf:10-17 (egress)
    via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_db_security_group" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  88   }
────────────────────────────────────────



oem_ec2_wl.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_wl.tf:11-58
────────────────────────────────────────
  11 ┌ resource "aws_instance" "oem_wl" {
  12 │   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
  13 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
  14 │   associate_public_ip_address = false
  15 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  16 │   ebs_optimized               = true
  17 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  18 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
  19 └   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
  ..   
────────────────────────────────────────



oem_ec2_wl_sg.tf (terraform)
============================
Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_wl_sg.tf:21-23
   via oem_ec2_wl_sg.tf:17-24 (egress)
    via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
   7   resource "aws_security_group" "oem_wl_security_group_1" {
   .   
  21 ┌     cidr_blocks = [
  22"0.0.0.0/0"
  23 └     ]
  ..   
  79   }
────────────────────────────────────────



oem_s3.tf (terraform)
=====================
Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to laa-oem-development September 12, 2024 10:40 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute
terraform/environments/laa-oem

Running Trivy in terraform/environments/analytical-platform-compute
2024-09-12T10:41:24Z INFO [db] Need to update DB
2024-09-12T10:41:24Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T10:41:26Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T10:41:26Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T10:41:26Z INFO Need to update the built-in policies
2024-09-12T10:41:26Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T10:41:27Z INFO [secret] Secret scanning is enabled
2024-09-12T10:41:27Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T10:41:27Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T10:41:28Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T10:41:28Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T10:41:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2024-09-12T10:41:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks_cluster_logs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks_cluster_logs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks_ebs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks_ebs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:39Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=c60b70fbc80606eb4ed8cf47063ac6ed0d8dd435/node_groups.tf:247"
2024-09-12T10:41:39Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=c60b70fbc80606eb4ed8cf47063ac6ed0d8dd435/main.tf:51"
2024-09-12T10:41:39Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=c60b70fbc80606eb4ed8cf47063ac6ed0d8dd435/main.tf:52"
2024-09-12T10:41:39Z INFO Number of language-specific files num=0
2024-09-12T10:41:39Z INFO Detected config files num=20
trivy_exitcode=0

Running Trivy in terraform/environments/laa-oem
2024-09-12T10:41:40Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T10:41:40Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T10:41:40Z INFO [secret] Secret scanning is enabled
2024-09-12T10:41:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T10:41:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T10:41:40Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T10:41:40Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T10:41:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T10:41:41Z INFO Number of language-specific files num=0
2024-09-12T10:41:41Z INFO Detected config files num=13

oem_ec2_app.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_app.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_app" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_app
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_app_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_efs.tf:41-43
via oem_ec2_app_efs.tf:37-44 (egress)
via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_app_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_app_lb.tf (terraform)

Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app" {
2 │ name = "lb-${local.application_name}-app"
3 │ load_balancer_type = "application"
4 │ internal = false
5 │ security_groups = [aws_security_group.load_balancer_security_group.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
oem_ec2_app_lb.tf:4
via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
1 resource "aws_lb" "oem_app" {
2 name = "lb-${local.application_name}-app"
3 load_balancer_type = "application"
4 [ internal = false
5 security_groups = [aws_security_group.load_balancer_security_group.id]
6 subnets = data.aws_subnets.shared-public.ids
7
8 tags = local.tags
9 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb.tf:300-302
via oem_ec2_app_lb.tf:296-303 (egress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:258
via oem_ec2_app_lb.tf:254-259 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:272
via oem_ec2_app_lb.tf:268-273 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:293
via oem_ec2_app_lb.tf:289-294 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_lb_internal.tf (terraform)

Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app_internal" {
2 │ name = "lb-${local.application_name}-app-internal"
3 │ load_balancer_type = "application"
4 │ internal = true
5 │ security_groups = [aws_security_group.load_balancer_internal.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:300-302
via oem_ec2_app_lb_internal.tf:296-303 (egress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:258
via oem_ec2_app_lb_internal.tf:254-259 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:272
via oem_ec2_app_lb_internal.tf:268-273 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:293
via oem_ec2_app_lb_internal.tf:289-294 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_sg.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_sg.tf:14-16
via oem_ec2_app_sg.tf:10-17 (egress)
via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
1 resource "aws_security_group" "oem_app_security_group_1" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
96 }
────────────────────────────────────────

oem_ec2_db.tf (terraform)

Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_db.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_db" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_db
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_db_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_efs.tf:41-43
via oem_ec2_db_efs.tf:37-44 (egress)
via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_db_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_db_sg.tf (terraform)

Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_sg.tf:14-16
via oem_ec2_db_sg.tf:10-17 (egress)
via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
1 resource "aws_security_group" "oem_db_security_group" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
88 }
────────────────────────────────────────

oem_ec2_wl.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_wl.tf:11-58
────────────────────────────────────────
11 ┌ resource "aws_instance" "oem_wl" {
12 │ count = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
13 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
14 │ associate_public_ip_address = false
15 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
16 │ ebs_optimized = true
17 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
18 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
19 └ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
..
────────────────────────────────────────

oem_ec2_wl_sg.tf (terraform)

Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_wl_sg.tf:21-23
via oem_ec2_wl_sg.tf:17-24 (egress)
via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
7 resource "aws_security_group" "oem_wl_security_group_1" {
.
21 ┌ cidr_blocks = [
22 │ "0.0.0.0/0"
23 └ ]
..
79 }
────────────────────────────────────────

oem_s3.tf (terraform)

Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute
terraform/environments/laa-oem

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-12 10:41:44,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.0.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,301 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.5.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.8.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.1.2 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.24.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.24.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,302 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,303 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.4.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,303 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.44.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,303 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.44.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,303 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.0 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,303 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:1.6.3 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,303 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.1.2 (for external modules, the --download-external-modules flag is required)
2024-09-12 10:41:44,890 [MainThread  ] [WARNI]  Fail to load yaml content, while constructing a mapping
  in "<unicode string>", line 8, column 9:
      role: {{ .Values.nodeRole }}
            ^
found unhashable key
  in "<unicode string>", line 8, column 10:
      role: {{ .Values.nodeRole }}
             ^
2024-09-12 10:41:44,934 [MainThread  ] [WARNI]  Fail to load yaml content, while constructing a mapping
  in "<unicode string>", line 8, column 9:
      role: {{ .Values.nodeRole }}
            ^
found unhashable key
  in "<unicode string>", line 8, column 10:
      role: {{ .Values.nodeRole }}
             ^
terraform scan results:

Passed checks: 92, Failed checks: 0, Skipped checks: 117


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/laa-oem
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 182, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_app
	File: /oem_ec2_app.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_app" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-app.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_app_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-app"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_app_security_group_1.id, aws_security_group.oem_app_security_group_2.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     iops                  = 3100
		32 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-app-root",
		39 |     "volume-attach-host"   = "app",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-app", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-app",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_efs_sg
	File: /oem_ec2_app_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_app_efs_sg" {
		22 |   name_prefix = "${local.application_name}-app-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-app-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_security_group
	File: /oem_ec2_app_lb.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_internal
	File: /oem_ec2_app_lb_internal.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_1
	File: /oem_ec2_app_sg.tf:1-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_2
	File: /oem_ec2_app_sg.tf:98-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_db
	File: /oem_ec2_db.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_db" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-db.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_db_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-db"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_db_security_group.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		32 |     iops                  = 3100
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-db-root",
		39 |     "volume-attach-host"   = "db",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-db", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-db",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_efs_sg
	File: /oem_ec2_db_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_db_efs_sg" {
		22 |   name_prefix = "${local.application_name}-db-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-db-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_security_group
	File: /oem_ec2_db_sg.tf:1-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_wl[0]
	File: /oem_ec2_wl.tf:11-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		11 | resource "aws_instance" "oem_wl" {
		12 |   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
		13 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
		14 |   associate_public_ip_address = false
		15 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		16 |   ebs_optimized               = true
		17 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		18 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
		19 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
		20 |   monitoring                  = true
		21 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		22 |   user_data_replace_on_change = true
		23 |   user_data = base64encode(templatefile("./templates/oem-user-data-wl.sh", {
		24 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		25 |     hostname = "laa-oem-wl"
		26 |   }))
		27 |   vpc_security_group_ids = [aws_security_group.oem_wl_security_group_1[count.index].id]
		28 | 
		29 |   root_block_device {
		30 |     delete_on_termination = true
		31 |     encrypted             = true
		32 |     iops                  = 3100
		33 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		34 |     volume_size           = 12
		35 |     volume_type           = "gp3"
		36 |   }
		37 | 
		38 |   volume_tags = merge(tomap({
		39 |     "Name"                 = "${local.application_name}-wl-root",
		40 |     "volume-attach-host"   = "wl",
		41 |     "volume-attach-device" = "/dev/sda1",
		42 |     "volume-mount-path"    = "/",
		43 |     "volume-backup"        = true
		44 |   }), local.tags)
		45 | 
		46 |   tags = merge(tomap({
		47 |     "Name"     = lower(format("ec2-%s-%s-wl", local.application_name, local.environment)),
		48 |     "hostname" = "${local.application_name}-wl",
		49 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		50 |   }), local.tags)
		51 | 
		52 |   lifecycle {
		53 |     ignore_changes = [
		54 |       volume_tags,
		55 |       user_data
		56 |     ]
		57 |   }
		58 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/analytical-platform-compute
terraform/environments/laa-oem

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/laa-oem
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute
terraform/environments/laa-oem

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2024-09-12T10:41:24Z	INFO	[db] Need to update DB
2024-09-12T10:41:24Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T10:41:26Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T10:41:26Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T10:41:26Z	INFO	Need to update the built-in policies
2024-09-12T10:41:26Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T10:41:27Z	INFO	[secret] Secret scanning is enabled
2024-09-12T10:41:27Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T10:41:27Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T10:41:28Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T10:41:28Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T10:41:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2024-09-12T10:41:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks_cluster_logs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks_cluster_logs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks_ebs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks_ebs_kms.dynamic.condition" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.kms.dynamic.statement" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].dynamic.block_device_mappings" value="cty.NilVal"
2024-09-12T10:41:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-09-12T10:41:39Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=c60b70fbc80606eb4ed8cf47063ac6ed0d8dd435/node_groups.tf:247"
2024-09-12T10:41:39Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=c60b70fbc80606eb4ed8cf47063ac6ed0d8dd435/main.tf:51"
2024-09-12T10:41:39Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=c60b70fbc80606eb4ed8cf47063ac6ed0d8dd435/main.tf:52"
2024-09-12T10:41:39Z	INFO	Number of language-specific files	num=0
2024-09-12T10:41:39Z	INFO	Detected config files	num=20
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/laa-oem
2024-09-12T10:41:40Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T10:41:40Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T10:41:40Z	INFO	[secret] Secret scanning is enabled
2024-09-12T10:41:40Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T10:41:40Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T10:41:40Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T10:41:40Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T10:41:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T10:41:41Z	INFO	Number of language-specific files	num=0
2024-09-12T10:41:41Z	INFO	Detected config files	num=13

oem_ec2_app.tf (terraform)
==========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_app.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_app" {
  11ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
  12associate_public_ip_address = false
  13availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14ebs_optimized               = true
  15iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
  17key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
  18monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_app_efs.tf (terraform)
==============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_efs.tf:41-43
   via oem_ec2_app_efs.tf:37-44 (egress)
    via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_app_efs_sg" {
  ..   
  41cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_app_lb.tf (terraform)
=============================
Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app" {
   2name               = "lb-${local.application_name}-app"
   3load_balancer_type = "application"
   4internal           = false
   5security_groups    = [aws_security_group.load_balancer_security_group.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78tags = local.tags
   9 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 oem_ec2_app_lb.tf:4
   via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
   1   resource "aws_lb" "oem_app" {
   2     name               = "lb-${local.application_name}-app"
   3     load_balancer_type = "application"
   4 [   internal           = false
   5     security_groups    = [aws_security_group.load_balancer_security_group.id]
   6     subnets            = data.aws_subnets.shared-public.ids
   7   
   8     tags = local.tags
   9   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb.tf:300-302
   via oem_ec2_app_lb.tf:296-303 (egress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:258
   via oem_ec2_app_lb.tf:254-259 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:272
   via oem_ec2_app_lb.tf:268-273 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:293
   via oem_ec2_app_lb.tf:289-294 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_lb_internal.tf (terraform)
======================================
Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app_internal" {
   2 │   name               = "lb-${local.application_name}-app-internal"
   3 │   load_balancer_type = "application"
   4 │   internal           = true
   5 │   security_groups    = [aws_security_group.load_balancer_internal.id]
   6 │   subnets            = data.aws_subnets.shared-private.ids
   78 │   tags = local.tags
   9 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:300-302
   via oem_ec2_app_lb_internal.tf:296-303 (egress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:258
   via oem_ec2_app_lb_internal.tf:254-259 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:272
   via oem_ec2_app_lb_internal.tf:268-273 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:293
   via oem_ec2_app_lb_internal.tf:289-294 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_sg.tf (terraform)
=============================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_sg.tf:14-16
   via oem_ec2_app_sg.tf:10-17 (egress)
    via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_app_security_group_1" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  96   }
────────────────────────────────────────



oem_ec2_db.tf (terraform)
=========================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_db.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_db" {
  11 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
  12 │   associate_public_ip_address = false
  13 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14 │   ebs_optimized               = true
  15 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
  17 │   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
  18 └   monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_db_efs.tf (terraform)
=============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_efs.tf:41-43
   via oem_ec2_db_efs.tf:37-44 (egress)
    via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_db_efs_sg" {
  ..   
  41 ┌     cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_db_sg.tf (terraform)
============================
Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_sg.tf:14-16
   via oem_ec2_db_sg.tf:10-17 (egress)
    via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_db_security_group" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  88   }
────────────────────────────────────────



oem_ec2_wl.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_wl.tf:11-58
────────────────────────────────────────
  11 ┌ resource "aws_instance" "oem_wl" {
  12 │   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
  13 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
  14 │   associate_public_ip_address = false
  15 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  16 │   ebs_optimized               = true
  17 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  18 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
  19 └   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
  ..   
────────────────────────────────────────



oem_ec2_wl_sg.tf (terraform)
============================
Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_wl_sg.tf:21-23
   via oem_ec2_wl_sg.tf:17-24 (egress)
    via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
   7   resource "aws_security_group" "oem_wl_security_group_1" {
   .   
  21 ┌     cidr_blocks = [
  22"0.0.0.0/0"
  23 └     ]
  ..   
  79   }
────────────────────────────────────────



oem_s3.tf (terraform)
=====================
Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to laa-oem-development September 12, 2024 11:32 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-oem

Running Trivy in terraform/environments/laa-oem
2024-09-12T11:33:07Z INFO [db] Need to update DB
2024-09-12T11:33:07Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T11:33:09Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T11:33:09Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T11:33:09Z INFO Need to update the built-in policies
2024-09-12T11:33:09Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T11:33:10Z INFO [secret] Secret scanning is enabled
2024-09-12T11:33:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T11:33:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T11:33:10Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T11:33:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T11:33:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T11:33:11Z INFO Number of language-specific files num=0
2024-09-12T11:33:11Z INFO Detected config files num=13

oem_ec2_app.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_app.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_app" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_app
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_app_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_efs.tf:41-43
via oem_ec2_app_efs.tf:37-44 (egress)
via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_app_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_app_lb.tf (terraform)

Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app" {
2 │ name = "lb-${local.application_name}-app"
3 │ load_balancer_type = "application"
4 │ internal = false
5 │ security_groups = [aws_security_group.load_balancer_security_group.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
oem_ec2_app_lb.tf:4
via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
1 resource "aws_lb" "oem_app" {
2 name = "lb-${local.application_name}-app"
3 load_balancer_type = "application"
4 [ internal = false
5 security_groups = [aws_security_group.load_balancer_security_group.id]
6 subnets = data.aws_subnets.shared-public.ids
7
8 tags = local.tags
9 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb.tf:300-302
via oem_ec2_app_lb.tf:296-303 (egress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:258
via oem_ec2_app_lb.tf:254-259 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:272
via oem_ec2_app_lb.tf:268-273 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:293
via oem_ec2_app_lb.tf:289-294 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_lb_internal.tf (terraform)

Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app_internal" {
2 │ name = "lb-${local.application_name}-app-internal"
3 │ load_balancer_type = "application"
4 │ internal = true
5 │ security_groups = [aws_security_group.load_balancer_internal.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:300-302
via oem_ec2_app_lb_internal.tf:296-303 (egress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:258
via oem_ec2_app_lb_internal.tf:254-259 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:272
via oem_ec2_app_lb_internal.tf:268-273 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:293
via oem_ec2_app_lb_internal.tf:289-294 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_sg.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_sg.tf:14-16
via oem_ec2_app_sg.tf:10-17 (egress)
via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
1 resource "aws_security_group" "oem_app_security_group_1" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
96 }
────────────────────────────────────────

oem_ec2_db.tf (terraform)

Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_db.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_db" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_db
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_db_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_efs.tf:41-43
via oem_ec2_db_efs.tf:37-44 (egress)
via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_db_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_db_sg.tf (terraform)

Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_sg.tf:14-16
via oem_ec2_db_sg.tf:10-17 (egress)
via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
1 resource "aws_security_group" "oem_db_security_group" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
88 }
────────────────────────────────────────

oem_ec2_wl.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_wl.tf:11-58
────────────────────────────────────────
11 ┌ resource "aws_instance" "oem_wl" {
12 │ count = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
13 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
14 │ associate_public_ip_address = false
15 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
16 │ ebs_optimized = true
17 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
18 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
19 └ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
..
────────────────────────────────────────

oem_ec2_wl_sg.tf (terraform)

Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_wl_sg.tf:21-23
via oem_ec2_wl_sg.tf:17-24 (egress)
via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
7 resource "aws_security_group" "oem_wl_security_group_1" {
.
21 ┌ cidr_blocks = [
22 │ "0.0.0.0/0"
23 └ ]
..
79 }
────────────────────────────────────────

oem_s3.tf (terraform)

Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-oem

*****************************

Running Checkov in terraform/environments/laa-oem
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 182, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_app
	File: /oem_ec2_app.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_app" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-app.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_app_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-app"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_app_security_group_1.id, aws_security_group.oem_app_security_group_2.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     iops                  = 3100
		32 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-app-root",
		39 |     "volume-attach-host"   = "app",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-app", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-app",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_efs_sg
	File: /oem_ec2_app_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_app_efs_sg" {
		22 |   name_prefix = "${local.application_name}-app-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-app-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_security_group
	File: /oem_ec2_app_lb.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_internal
	File: /oem_ec2_app_lb_internal.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_1
	File: /oem_ec2_app_sg.tf:1-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_2
	File: /oem_ec2_app_sg.tf:98-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_db
	File: /oem_ec2_db.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_db" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-db.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_db_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-db"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_db_security_group.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		32 |     iops                  = 3100
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-db-root",
		39 |     "volume-attach-host"   = "db",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-db", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-db",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_efs_sg
	File: /oem_ec2_db_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_db_efs_sg" {
		22 |   name_prefix = "${local.application_name}-db-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-db-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_security_group
	File: /oem_ec2_db_sg.tf:1-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_wl[0]
	File: /oem_ec2_wl.tf:11-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		11 | resource "aws_instance" "oem_wl" {
		12 |   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
		13 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
		14 |   associate_public_ip_address = false
		15 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		16 |   ebs_optimized               = true
		17 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		18 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
		19 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
		20 |   monitoring                  = true
		21 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		22 |   user_data_replace_on_change = true
		23 |   user_data = base64encode(templatefile("./templates/oem-user-data-wl.sh", {
		24 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		25 |     hostname = "laa-oem-wl"
		26 |   }))
		27 |   vpc_security_group_ids = [aws_security_group.oem_wl_security_group_1[count.index].id]
		28 | 
		29 |   root_block_device {
		30 |     delete_on_termination = true
		31 |     encrypted             = true
		32 |     iops                  = 3100
		33 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		34 |     volume_size           = 12
		35 |     volume_type           = "gp3"
		36 |   }
		37 | 
		38 |   volume_tags = merge(tomap({
		39 |     "Name"                 = "${local.application_name}-wl-root",
		40 |     "volume-attach-host"   = "wl",
		41 |     "volume-attach-device" = "/dev/sda1",
		42 |     "volume-mount-path"    = "/",
		43 |     "volume-backup"        = true
		44 |   }), local.tags)
		45 | 
		46 |   tags = merge(tomap({
		47 |     "Name"     = lower(format("ec2-%s-%s-wl", local.application_name, local.environment)),
		48 |     "hostname" = "${local.application_name}-wl",
		49 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		50 |   }), local.tags)
		51 | 
		52 |   lifecycle {
		53 |     ignore_changes = [
		54 |       volume_tags,
		55 |       user_data
		56 |     ]
		57 |   }
		58 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/laa-oem

*****************************

Running tflint in terraform/environments/laa-oem
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/laa-oem

*****************************

Running Trivy in terraform/environments/laa-oem
2024-09-12T11:33:07Z	INFO	[db] Need to update DB
2024-09-12T11:33:07Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T11:33:09Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T11:33:09Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T11:33:09Z	INFO	Need to update the built-in policies
2024-09-12T11:33:09Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T11:33:10Z	INFO	[secret] Secret scanning is enabled
2024-09-12T11:33:10Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T11:33:10Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T11:33:10Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T11:33:10Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T11:33:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T11:33:11Z	INFO	Number of language-specific files	num=0
2024-09-12T11:33:11Z	INFO	Detected config files	num=13

oem_ec2_app.tf (terraform)
==========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_app.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_app" {
  11ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
  12associate_public_ip_address = false
  13availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14ebs_optimized               = true
  15iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
  17key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
  18monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_app_efs.tf (terraform)
==============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_efs.tf:41-43
   via oem_ec2_app_efs.tf:37-44 (egress)
    via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_app_efs_sg" {
  ..   
  41cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_app_lb.tf (terraform)
=============================
Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app" {
   2name               = "lb-${local.application_name}-app"
   3load_balancer_type = "application"
   4internal           = false
   5security_groups    = [aws_security_group.load_balancer_security_group.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78tags = local.tags
   9 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 oem_ec2_app_lb.tf:4
   via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
   1   resource "aws_lb" "oem_app" {
   2     name               = "lb-${local.application_name}-app"
   3     load_balancer_type = "application"
   4 [   internal           = false
   5     security_groups    = [aws_security_group.load_balancer_security_group.id]
   6     subnets            = data.aws_subnets.shared-public.ids
   7   
   8     tags = local.tags
   9   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb.tf:300-302
   via oem_ec2_app_lb.tf:296-303 (egress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:258
   via oem_ec2_app_lb.tf:254-259 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:272
   via oem_ec2_app_lb.tf:268-273 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:293
   via oem_ec2_app_lb.tf:289-294 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_lb_internal.tf (terraform)
======================================
Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app_internal" {
   2 │   name               = "lb-${local.application_name}-app-internal"
   3 │   load_balancer_type = "application"
   4 │   internal           = true
   5 │   security_groups    = [aws_security_group.load_balancer_internal.id]
   6 │   subnets            = data.aws_subnets.shared-private.ids
   78 │   tags = local.tags
   9 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:300-302
   via oem_ec2_app_lb_internal.tf:296-303 (egress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:258
   via oem_ec2_app_lb_internal.tf:254-259 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:272
   via oem_ec2_app_lb_internal.tf:268-273 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:293
   via oem_ec2_app_lb_internal.tf:289-294 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_sg.tf (terraform)
=============================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_sg.tf:14-16
   via oem_ec2_app_sg.tf:10-17 (egress)
    via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_app_security_group_1" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  96   }
────────────────────────────────────────



oem_ec2_db.tf (terraform)
=========================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_db.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_db" {
  11 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
  12 │   associate_public_ip_address = false
  13 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14 │   ebs_optimized               = true
  15 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
  17 │   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
  18 └   monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_db_efs.tf (terraform)
=============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_efs.tf:41-43
   via oem_ec2_db_efs.tf:37-44 (egress)
    via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_db_efs_sg" {
  ..   
  41 ┌     cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_db_sg.tf (terraform)
============================
Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_sg.tf:14-16
   via oem_ec2_db_sg.tf:10-17 (egress)
    via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_db_security_group" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  88   }
────────────────────────────────────────



oem_ec2_wl.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_wl.tf:11-58
────────────────────────────────────────
  11 ┌ resource "aws_instance" "oem_wl" {
  12 │   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
  13 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
  14 │   associate_public_ip_address = false
  15 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  16 │   ebs_optimized               = true
  17 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  18 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
  19 └   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
  ..   
────────────────────────────────────────



oem_ec2_wl_sg.tf (terraform)
============================
Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_wl_sg.tf:21-23
   via oem_ec2_wl_sg.tf:17-24 (egress)
    via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
   7   resource "aws_security_group" "oem_wl_security_group_1" {
   .   
  21 ┌     cidr_blocks = [
  22"0.0.0.0/0"
  23 └     ]
  ..   
  79   }
────────────────────────────────────────



oem_s3.tf (terraform)
=====================
Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to laa-oem-development September 12, 2024 12:09 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-oem

Running Trivy in terraform/environments/laa-oem
2024-09-12T12:10:30Z INFO [db] Need to update DB
2024-09-12T12:10:30Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T12:10:32Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T12:10:32Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T12:10:32Z INFO Need to update the built-in policies
2024-09-12T12:10:32Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T12:10:32Z INFO [secret] Secret scanning is enabled
2024-09-12T12:10:32Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T12:10:32Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T12:10:33Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T12:10:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T12:10:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T12:10:33Z INFO Number of language-specific files num=0
2024-09-12T12:10:33Z INFO Detected config files num=13

oem_ec2_app.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_app.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_app" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_app
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_app_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_efs.tf:41-43
via oem_ec2_app_efs.tf:37-44 (egress)
via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_app_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_app_lb.tf (terraform)

Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app" {
2 │ name = "lb-${local.application_name}-app"
3 │ load_balancer_type = "application"
4 │ internal = false
5 │ security_groups = [aws_security_group.load_balancer_security_group.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
oem_ec2_app_lb.tf:4
via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
1 resource "aws_lb" "oem_app" {
2 name = "lb-${local.application_name}-app"
3 load_balancer_type = "application"
4 [ internal = false
5 security_groups = [aws_security_group.load_balancer_security_group.id]
6 subnets = data.aws_subnets.shared-public.ids
7
8 tags = local.tags
9 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb.tf:300-302
via oem_ec2_app_lb.tf:296-303 (egress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:258
via oem_ec2_app_lb.tf:254-259 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:272
via oem_ec2_app_lb.tf:268-273 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:293
via oem_ec2_app_lb.tf:289-294 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_lb_internal.tf (terraform)

Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app_internal" {
2 │ name = "lb-${local.application_name}-app-internal"
3 │ load_balancer_type = "application"
4 │ internal = true
5 │ security_groups = [aws_security_group.load_balancer_internal.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:300-302
via oem_ec2_app_lb_internal.tf:296-303 (egress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:258
via oem_ec2_app_lb_internal.tf:254-259 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:272
via oem_ec2_app_lb_internal.tf:268-273 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:293
via oem_ec2_app_lb_internal.tf:289-294 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_sg.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_sg.tf:14-16
via oem_ec2_app_sg.tf:10-17 (egress)
via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
1 resource "aws_security_group" "oem_app_security_group_1" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
96 }
────────────────────────────────────────

oem_ec2_db.tf (terraform)

Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_db.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_db" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_db
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_db_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_efs.tf:41-43
via oem_ec2_db_efs.tf:37-44 (egress)
via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_db_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_db_sg.tf (terraform)

Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_sg.tf:14-16
via oem_ec2_db_sg.tf:10-17 (egress)
via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
1 resource "aws_security_group" "oem_db_security_group" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
88 }
────────────────────────────────────────

oem_ec2_wl.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_wl.tf:11-58
────────────────────────────────────────
11 ┌ resource "aws_instance" "oem_wl" {
12 │ count = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
13 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
14 │ associate_public_ip_address = false
15 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
16 │ ebs_optimized = true
17 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
18 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
19 └ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
..
────────────────────────────────────────

oem_ec2_wl_sg.tf (terraform)

Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_wl_sg.tf:21-23
via oem_ec2_wl_sg.tf:17-24 (egress)
via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
7 resource "aws_security_group" "oem_wl_security_group_1" {
.
21 ┌ cidr_blocks = [
22 │ "0.0.0.0/0"
23 └ ]
..
79 }
────────────────────────────────────────

oem_s3.tf (terraform)

Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-oem

*****************************

Running Checkov in terraform/environments/laa-oem
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 182, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_app
	File: /oem_ec2_app.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_app" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-app.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_app_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-app"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_app_security_group_1.id, aws_security_group.oem_app_security_group_2.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     iops                  = 3100
		32 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-app-root",
		39 |     "volume-attach-host"   = "app",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-app", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-app",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_efs_sg
	File: /oem_ec2_app_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_app_efs_sg" {
		22 |   name_prefix = "${local.application_name}-app-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-app-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_security_group
	File: /oem_ec2_app_lb.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_internal
	File: /oem_ec2_app_lb_internal.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_1
	File: /oem_ec2_app_sg.tf:1-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_2
	File: /oem_ec2_app_sg.tf:98-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_db
	File: /oem_ec2_db.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_db" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-db.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_db_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-db"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_db_security_group.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		32 |     iops                  = 3100
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-db-root",
		39 |     "volume-attach-host"   = "db",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-db", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-db",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_efs_sg
	File: /oem_ec2_db_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_db_efs_sg" {
		22 |   name_prefix = "${local.application_name}-db-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-db-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_security_group
	File: /oem_ec2_db_sg.tf:1-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_wl[0]
	File: /oem_ec2_wl.tf:11-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		11 | resource "aws_instance" "oem_wl" {
		12 |   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
		13 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
		14 |   associate_public_ip_address = false
		15 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		16 |   ebs_optimized               = true
		17 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		18 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
		19 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
		20 |   monitoring                  = true
		21 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		22 |   user_data_replace_on_change = true
		23 |   user_data = base64encode(templatefile("./templates/oem-user-data-wl.sh", {
		24 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		25 |     hostname = "laa-oem-wl"
		26 |   }))
		27 |   vpc_security_group_ids = [aws_security_group.oem_wl_security_group_1[count.index].id]
		28 | 
		29 |   root_block_device {
		30 |     delete_on_termination = true
		31 |     encrypted             = true
		32 |     iops                  = 3100
		33 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		34 |     volume_size           = 12
		35 |     volume_type           = "gp3"
		36 |   }
		37 | 
		38 |   volume_tags = merge(tomap({
		39 |     "Name"                 = "${local.application_name}-wl-root",
		40 |     "volume-attach-host"   = "wl",
		41 |     "volume-attach-device" = "/dev/sda1",
		42 |     "volume-mount-path"    = "/",
		43 |     "volume-backup"        = true
		44 |   }), local.tags)
		45 | 
		46 |   tags = merge(tomap({
		47 |     "Name"     = lower(format("ec2-%s-%s-wl", local.application_name, local.environment)),
		48 |     "hostname" = "${local.application_name}-wl",
		49 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		50 |   }), local.tags)
		51 | 
		52 |   lifecycle {
		53 |     ignore_changes = [
		54 |       volume_tags,
		55 |       user_data
		56 |     ]
		57 |   }
		58 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/laa-oem

*****************************

Running tflint in terraform/environments/laa-oem
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/laa-oem

*****************************

Running Trivy in terraform/environments/laa-oem
2024-09-12T12:10:30Z	INFO	[db] Need to update DB
2024-09-12T12:10:30Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T12:10:32Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T12:10:32Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T12:10:32Z	INFO	Need to update the built-in policies
2024-09-12T12:10:32Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T12:10:32Z	INFO	[secret] Secret scanning is enabled
2024-09-12T12:10:32Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T12:10:32Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T12:10:33Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T12:10:33Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T12:10:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T12:10:33Z	INFO	Number of language-specific files	num=0
2024-09-12T12:10:33Z	INFO	Detected config files	num=13

oem_ec2_app.tf (terraform)
==========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_app.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_app" {
  11ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
  12associate_public_ip_address = false
  13availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14ebs_optimized               = true
  15iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
  17key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
  18monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_app_efs.tf (terraform)
==============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_efs.tf:41-43
   via oem_ec2_app_efs.tf:37-44 (egress)
    via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_app_efs_sg" {
  ..   
  41cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_app_lb.tf (terraform)
=============================
Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app" {
   2name               = "lb-${local.application_name}-app"
   3load_balancer_type = "application"
   4internal           = false
   5security_groups    = [aws_security_group.load_balancer_security_group.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78tags = local.tags
   9 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 oem_ec2_app_lb.tf:4
   via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
   1   resource "aws_lb" "oem_app" {
   2     name               = "lb-${local.application_name}-app"
   3     load_balancer_type = "application"
   4 [   internal           = false
   5     security_groups    = [aws_security_group.load_balancer_security_group.id]
   6     subnets            = data.aws_subnets.shared-public.ids
   7   
   8     tags = local.tags
   9   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb.tf:300-302
   via oem_ec2_app_lb.tf:296-303 (egress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:258
   via oem_ec2_app_lb.tf:254-259 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:272
   via oem_ec2_app_lb.tf:268-273 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:293
   via oem_ec2_app_lb.tf:289-294 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_lb_internal.tf (terraform)
======================================
Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app_internal" {
   2 │   name               = "lb-${local.application_name}-app-internal"
   3 │   load_balancer_type = "application"
   4 │   internal           = true
   5 │   security_groups    = [aws_security_group.load_balancer_internal.id]
   6 │   subnets            = data.aws_subnets.shared-private.ids
   78 │   tags = local.tags
   9 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:300-302
   via oem_ec2_app_lb_internal.tf:296-303 (egress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:258
   via oem_ec2_app_lb_internal.tf:254-259 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:272
   via oem_ec2_app_lb_internal.tf:268-273 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:293
   via oem_ec2_app_lb_internal.tf:289-294 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_sg.tf (terraform)
=============================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_sg.tf:14-16
   via oem_ec2_app_sg.tf:10-17 (egress)
    via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_app_security_group_1" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  96   }
────────────────────────────────────────



oem_ec2_db.tf (terraform)
=========================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_db.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_db" {
  11 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
  12 │   associate_public_ip_address = false
  13 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14 │   ebs_optimized               = true
  15 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
  17 │   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
  18 └   monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_db_efs.tf (terraform)
=============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_efs.tf:41-43
   via oem_ec2_db_efs.tf:37-44 (egress)
    via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_db_efs_sg" {
  ..   
  41 ┌     cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_db_sg.tf (terraform)
============================
Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_sg.tf:14-16
   via oem_ec2_db_sg.tf:10-17 (egress)
    via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_db_security_group" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  88   }
────────────────────────────────────────



oem_ec2_wl.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_wl.tf:11-58
────────────────────────────────────────
  11 ┌ resource "aws_instance" "oem_wl" {
  12 │   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
  13 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
  14 │   associate_public_ip_address = false
  15 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  16 │   ebs_optimized               = true
  17 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  18 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
  19 └   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
  ..   
────────────────────────────────────────



oem_ec2_wl_sg.tf (terraform)
============================
Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_wl_sg.tf:21-23
   via oem_ec2_wl_sg.tf:17-24 (egress)
    via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
   7   resource "aws_security_group" "oem_wl_security_group_1" {
   .   
  21 ┌     cidr_blocks = [
  22"0.0.0.0/0"
  23 └     ]
  ..   
  79   }
────────────────────────────────────────



oem_s3.tf (terraform)
=====================
Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to laa-oem-development September 12, 2024 12:41 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-oem

Running Trivy in terraform/environments/laa-oem
2024-09-12T12:42:44Z INFO [db] Need to update DB
2024-09-12T12:42:44Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T12:42:45Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T12:42:45Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T12:42:45Z INFO Need to update the built-in policies
2024-09-12T12:42:45Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T12:42:46Z INFO [secret] Secret scanning is enabled
2024-09-12T12:42:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T12:42:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T12:42:46Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T12:42:46Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T12:42:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T12:42:47Z INFO Number of language-specific files num=0
2024-09-12T12:42:47Z INFO Detected config files num=13

oem_ec2_app.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_app.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_app" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_app
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_app_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_efs.tf:41-43
via oem_ec2_app_efs.tf:37-44 (egress)
via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_app_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_app_lb.tf (terraform)

Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app" {
2 │ name = "lb-${local.application_name}-app"
3 │ load_balancer_type = "application"
4 │ internal = false
5 │ security_groups = [aws_security_group.load_balancer_security_group.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
oem_ec2_app_lb.tf:4
via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
1 resource "aws_lb" "oem_app" {
2 name = "lb-${local.application_name}-app"
3 load_balancer_type = "application"
4 [ internal = false
5 security_groups = [aws_security_group.load_balancer_security_group.id]
6 subnets = data.aws_subnets.shared-public.ids
7
8 tags = local.tags
9 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb.tf:300-302
via oem_ec2_app_lb.tf:296-303 (egress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:258
via oem_ec2_app_lb.tf:254-259 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:272
via oem_ec2_app_lb.tf:268-273 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:293
via oem_ec2_app_lb.tf:289-294 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_lb_internal.tf (terraform)

Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app_internal" {
2 │ name = "lb-${local.application_name}-app-internal"
3 │ load_balancer_type = "application"
4 │ internal = true
5 │ security_groups = [aws_security_group.load_balancer_internal.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:300-302
via oem_ec2_app_lb_internal.tf:296-303 (egress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:258
via oem_ec2_app_lb_internal.tf:254-259 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:272
via oem_ec2_app_lb_internal.tf:268-273 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:293
via oem_ec2_app_lb_internal.tf:289-294 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_sg.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_sg.tf:14-16
via oem_ec2_app_sg.tf:10-17 (egress)
via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
1 resource "aws_security_group" "oem_app_security_group_1" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
96 }
────────────────────────────────────────

oem_ec2_db.tf (terraform)

Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_db.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_db" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_db
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_db_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_efs.tf:41-43
via oem_ec2_db_efs.tf:37-44 (egress)
via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_db_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_db_sg.tf (terraform)

Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_sg.tf:14-16
via oem_ec2_db_sg.tf:10-17 (egress)
via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
1 resource "aws_security_group" "oem_db_security_group" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
88 }
────────────────────────────────────────

oem_ec2_wl.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_wl.tf:11-58
────────────────────────────────────────
11 ┌ resource "aws_instance" "oem_wl" {
12 │ count = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
13 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
14 │ associate_public_ip_address = false
15 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
16 │ ebs_optimized = true
17 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
18 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
19 └ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
..
────────────────────────────────────────

oem_ec2_wl_sg.tf (terraform)

Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_wl_sg.tf:21-23
via oem_ec2_wl_sg.tf:17-24 (egress)
via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
7 resource "aws_security_group" "oem_wl_security_group_1" {
.
21 ┌ cidr_blocks = [
22 │ "0.0.0.0/0"
23 └ ]
..
79 }
────────────────────────────────────────

oem_s3.tf (terraform)

Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-oem

*****************************

Running Checkov in terraform/environments/laa-oem
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 182, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_app
	File: /oem_ec2_app.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_app" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-app.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_app_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-app"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_app_security_group_1.id, aws_security_group.oem_app_security_group_2.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     iops                  = 3100
		32 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-app-root",
		39 |     "volume-attach-host"   = "app",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-app", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-app",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_efs_sg
	File: /oem_ec2_app_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_app_efs_sg" {
		22 |   name_prefix = "${local.application_name}-app-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-app-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_security_group
	File: /oem_ec2_app_lb.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_internal
	File: /oem_ec2_app_lb_internal.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_1
	File: /oem_ec2_app_sg.tf:1-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_2
	File: /oem_ec2_app_sg.tf:98-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_db
	File: /oem_ec2_db.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_db" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-db.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_db_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-db"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_db_security_group.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		32 |     iops                  = 3100
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-db-root",
		39 |     "volume-attach-host"   = "db",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-db", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-db",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_efs_sg
	File: /oem_ec2_db_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_db_efs_sg" {
		22 |   name_prefix = "${local.application_name}-db-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-db-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_security_group
	File: /oem_ec2_db_sg.tf:1-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_wl[0]
	File: /oem_ec2_wl.tf:11-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		11 | resource "aws_instance" "oem_wl" {
		12 |   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
		13 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
		14 |   associate_public_ip_address = false
		15 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		16 |   ebs_optimized               = true
		17 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		18 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
		19 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
		20 |   monitoring                  = true
		21 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		22 |   user_data_replace_on_change = true
		23 |   user_data = base64encode(templatefile("./templates/oem-user-data-wl.sh", {
		24 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		25 |     hostname = "laa-oem-wl"
		26 |   }))
		27 |   vpc_security_group_ids = [aws_security_group.oem_wl_security_group_1[count.index].id]
		28 | 
		29 |   root_block_device {
		30 |     delete_on_termination = true
		31 |     encrypted             = true
		32 |     iops                  = 3100
		33 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		34 |     volume_size           = 12
		35 |     volume_type           = "gp3"
		36 |   }
		37 | 
		38 |   volume_tags = merge(tomap({
		39 |     "Name"                 = "${local.application_name}-wl-root",
		40 |     "volume-attach-host"   = "wl",
		41 |     "volume-attach-device" = "/dev/sda1",
		42 |     "volume-mount-path"    = "/",
		43 |     "volume-backup"        = true
		44 |   }), local.tags)
		45 | 
		46 |   tags = merge(tomap({
		47 |     "Name"     = lower(format("ec2-%s-%s-wl", local.application_name, local.environment)),
		48 |     "hostname" = "${local.application_name}-wl",
		49 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		50 |   }), local.tags)
		51 | 
		52 |   lifecycle {
		53 |     ignore_changes = [
		54 |       volume_tags,
		55 |       user_data
		56 |     ]
		57 |   }
		58 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }

checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/laa-oem

*****************************

Running tflint in terraform/environments/laa-oem
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/laa-oem

*****************************

Running Trivy in terraform/environments/laa-oem
2024-09-12T12:42:44Z	INFO	[db] Need to update DB
2024-09-12T12:42:44Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T12:42:45Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T12:42:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T12:42:45Z	INFO	Need to update the built-in policies
2024-09-12T12:42:45Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T12:42:46Z	INFO	[secret] Secret scanning is enabled
2024-09-12T12:42:46Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T12:42:46Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T12:42:46Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T12:42:46Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T12:42:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T12:42:47Z	INFO	Number of language-specific files	num=0
2024-09-12T12:42:47Z	INFO	Detected config files	num=13

oem_ec2_app.tf (terraform)
==========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_app.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_app" {
  11ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
  12associate_public_ip_address = false
  13availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14ebs_optimized               = true
  15iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
  17key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
  18monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_app_efs.tf (terraform)
==============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_efs.tf:41-43
   via oem_ec2_app_efs.tf:37-44 (egress)
    via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_app_efs_sg" {
  ..   
  41cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_app_lb.tf (terraform)
=============================
Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app" {
   2name               = "lb-${local.application_name}-app"
   3load_balancer_type = "application"
   4internal           = false
   5security_groups    = [aws_security_group.load_balancer_security_group.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78tags = local.tags
   9 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 oem_ec2_app_lb.tf:4
   via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
   1   resource "aws_lb" "oem_app" {
   2     name               = "lb-${local.application_name}-app"
   3     load_balancer_type = "application"
   4 [   internal           = false
   5     security_groups    = [aws_security_group.load_balancer_security_group.id]
   6     subnets            = data.aws_subnets.shared-public.ids
   7   
   8     tags = local.tags
   9   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb.tf:300-302
   via oem_ec2_app_lb.tf:296-303 (egress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:258
   via oem_ec2_app_lb.tf:254-259 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:272
   via oem_ec2_app_lb.tf:268-273 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:293
   via oem_ec2_app_lb.tf:289-294 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_lb_internal.tf (terraform)
======================================
Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app_internal" {
   2 │   name               = "lb-${local.application_name}-app-internal"
   3 │   load_balancer_type = "application"
   4 │   internal           = true
   5 │   security_groups    = [aws_security_group.load_balancer_internal.id]
   6 │   subnets            = data.aws_subnets.shared-private.ids
   78 │   tags = local.tags
   9 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:300-302
   via oem_ec2_app_lb_internal.tf:296-303 (egress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:258
   via oem_ec2_app_lb_internal.tf:254-259 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:272
   via oem_ec2_app_lb_internal.tf:268-273 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:293
   via oem_ec2_app_lb_internal.tf:289-294 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_sg.tf (terraform)
=============================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_sg.tf:14-16
   via oem_ec2_app_sg.tf:10-17 (egress)
    via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_app_security_group_1" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  96   }
────────────────────────────────────────



oem_ec2_db.tf (terraform)
=========================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_db.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_db" {
  11 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
  12 │   associate_public_ip_address = false
  13 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14 │   ebs_optimized               = true
  15 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
  17 │   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
  18 └   monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_db_efs.tf (terraform)
=============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_efs.tf:41-43
   via oem_ec2_db_efs.tf:37-44 (egress)
    via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_db_efs_sg" {
  ..   
  41 ┌     cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_db_sg.tf (terraform)
============================
Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_sg.tf:14-16
   via oem_ec2_db_sg.tf:10-17 (egress)
    via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_db_security_group" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  88   }
────────────────────────────────────────



oem_ec2_wl.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_wl.tf:11-58
────────────────────────────────────────
  11 ┌ resource "aws_instance" "oem_wl" {
  12 │   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
  13 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
  14 │   associate_public_ip_address = false
  15 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  16 │   ebs_optimized               = true
  17 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  18 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
  19 └   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
  ..   
────────────────────────────────────────



oem_ec2_wl_sg.tf (terraform)
============================
Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_wl_sg.tf:21-23
   via oem_ec2_wl_sg.tf:17-24 (egress)
    via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
   7   resource "aws_security_group" "oem_wl_security_group_1" {
   .   
  21 ┌     cidr_blocks = [
  22"0.0.0.0/0"
  23 └     ]
  ..   
  79   }
────────────────────────────────────────



oem_s3.tf (terraform)
=====================
Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk deployed to laa-oem-test September 12, 2024 12:46 — with GitHub Actions Active
@mmgovuk mmgovuk deployed to laa-oem-development September 12, 2024 12:47 — with GitHub Actions Active
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-oem

Running Trivy in terraform/environments/laa-oem
2024-09-12T12:47:53Z INFO [db] Need to update DB
2024-09-12T12:47:53Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T12:47:55Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T12:47:55Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T12:47:55Z INFO Need to update the built-in policies
2024-09-12T12:47:55Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T12:47:55Z INFO [secret] Secret scanning is enabled
2024-09-12T12:47:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T12:47:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T12:47:56Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-12T12:47:56Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-12T12:47:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T12:47:56Z INFO Number of language-specific files num=0
2024-09-12T12:47:56Z INFO Detected config files num=13

oem_ec2_app.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_app.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_app" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_app
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_app_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_efs.tf:41-43
via oem_ec2_app_efs.tf:37-44 (egress)
via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_app_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_app_lb.tf (terraform)

Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app" {
2 │ name = "lb-${local.application_name}-app"
3 │ load_balancer_type = "application"
4 │ internal = false
5 │ security_groups = [aws_security_group.load_balancer_security_group.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
oem_ec2_app_lb.tf:4
via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
1 resource "aws_lb" "oem_app" {
2 name = "lb-${local.application_name}-app"
3 load_balancer_type = "application"
4 [ internal = false
5 security_groups = [aws_security_group.load_balancer_security_group.id]
6 subnets = data.aws_subnets.shared-public.ids
7
8 tags = local.tags
9 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb.tf:300-302
via oem_ec2_app_lb.tf:296-303 (egress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:258
via oem_ec2_app_lb.tf:254-259 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:272
via oem_ec2_app_lb.tf:268-273 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb.tf:293
via oem_ec2_app_lb.tf:289-294 (ingress)
via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_security_group" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_lb_internal.tf (terraform)

Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
1 ┌ resource "aws_lb" "oem_app_internal" {
2 │ name = "lb-${local.application_name}-app-internal"
3 │ load_balancer_type = "application"
4 │ internal = true
5 │ security_groups = [aws_security_group.load_balancer_internal.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ tags = local.tags
9 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:300-302
via oem_ec2_app_lb_internal.tf:296-303 (egress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
300 ┌ cidr_blocks = [
301 │ "0.0.0.0/0",
302 └ ]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:258
via oem_ec2_app_lb_internal.tf:254-259 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
258 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:272
via oem_ec2_app_lb_internal.tf:268-273 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
272 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
oem_ec2_app_lb_internal.tf:293
via oem_ec2_app_lb_internal.tf:289-294 (ingress)
via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
231 resource "aws_security_group" "load_balancer_internal" {
...
293 [ cidr_blocks = ["0.0.0.0/0"]
...
304 }
────────────────────────────────────────

oem_ec2_app_sg.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_app_sg.tf:14-16
via oem_ec2_app_sg.tf:10-17 (egress)
via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
1 resource "aws_security_group" "oem_app_security_group_1" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
96 }
────────────────────────────────────────

oem_ec2_db.tf (terraform)

Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_db.tf:10-57
────────────────────────────────────────
10 ┌ resource "aws_instance" "oem_db" {
11 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
12 │ associate_public_ip_address = false
13 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
14 │ ebs_optimized = true
15 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
16 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
17 │ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_db
18 └ monitoring = true
..
────────────────────────────────────────

oem_ec2_db_efs.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_efs.tf:41-43
via oem_ec2_db_efs.tf:37-44 (egress)
via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
21 resource "aws_security_group" "oem_db_efs_sg" {
..
41 ┌ cidr_blocks = [
42 │ "0.0.0.0/0",
43 └ ]
..
49 }
────────────────────────────────────────

oem_ec2_db_sg.tf (terraform)

Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_db_sg.tf:14-16
via oem_ec2_db_sg.tf:10-17 (egress)
via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
1 resource "aws_security_group" "oem_db_security_group" {
.
14 ┌ cidr_blocks = [
15 │ "0.0.0.0/0"
16 └ ]
..
88 }
────────────────────────────────────────

oem_ec2_wl.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
oem_ec2_wl.tf:11-58
────────────────────────────────────────
11 ┌ resource "aws_instance" "oem_wl" {
12 │ count = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
13 │ ami = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
14 │ associate_public_ip_address = false
15 │ availability_zone = local.application_data.accounts[local.environment].ec2_zone
16 │ ebs_optimized = true
17 │ iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_oem_base.name
18 │ instance_type = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
19 └ key_name = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
..
────────────────────────────────────────

oem_ec2_wl_sg.tf (terraform)

Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
oem_ec2_wl_sg.tf:21-23
via oem_ec2_wl_sg.tf:17-24 (egress)
via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
7 resource "aws_security_group" "oem_wl_security_group_1" {
.
21 ┌ cidr_blocks = [
22 │ "0.0.0.0/0"
23 └ ]
..
79 }
────────────────────────────────────────

oem_s3.tf (terraform)

Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
oem_s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
2 │ bucket = "${local.application_name}-${local.environment}-shared"
3 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-oem

*****************************

Running Checkov in terraform/environments/laa-oem
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 182, Failed checks: 26, Skipped checks: 0

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_app
	File: /oem_ec2_app.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_app" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-app.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_app_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-app"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_app_security_group_1.id, aws_security_group.oem_app_security_group_2.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     iops                  = 3100
		32 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-app-root",
		39 |     "volume-attach-host"   = "app",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-app", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-app",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_efs_sg
	File: /oem_ec2_app_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_app_efs_sg" {
		22 |   name_prefix = "${local.application_name}-app-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-app-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_security_group
	File: /oem_ec2_app_lb.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.oem_app_internal
	File: /oem_ec2_app_lb_internal.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_lb" "oem_app_internal" {
		2 |   name               = "lb-${local.application_name}-app-internal"
		3 |   load_balancer_type = "application"
		4 |   internal           = true
		5 |   security_groups    = [aws_security_group.load_balancer_internal.id]
		6 |   subnets            = data.aws_subnets.shared-private.ids
		7 | 
		8 |   tags = local.tags
		9 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.load_balancer_internal
	File: /oem_ec2_app_lb_internal.tf:231-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_1
	File: /oem_ec2_app_sg.tf:1-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_app_security_group_2
	File: /oem_ec2_app_sg.tf:98-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_db
	File: /oem_ec2_db.tf:10-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		10 | resource "aws_instance" "oem_db" {
		11 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
		12 |   associate_public_ip_address = false
		13 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		14 |   ebs_optimized               = true
		15 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		16 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
		17 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
		18 |   monitoring                  = true
		19 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		20 |   user_data_replace_on_change = true
		21 |   user_data = base64encode(templatefile("./templates/oem-user-data-db.sh", {
		22 |     efs_fqdn = aws_efs_file_system.oem_db_efs.dns_name
		23 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		24 |     hostname = "laa-oem-db"
		25 |   }))
		26 |   vpc_security_group_ids = [aws_security_group.oem_db_security_group.id]
		27 | 
		28 |   root_block_device {
		29 |     delete_on_termination = true
		30 |     encrypted             = true
		31 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		32 |     iops                  = 3100
		33 |     volume_size           = 12
		34 |     volume_type           = "gp3"
		35 |   }
		36 | 
		37 |   volume_tags = merge(tomap({
		38 |     "Name"                 = "${local.application_name}-db-root",
		39 |     "volume-attach-host"   = "db",
		40 |     "volume-attach-device" = "/dev/sda1",
		41 |     "volume-mount-path"    = "/",
		42 |     "volume-backup"        = true
		43 |   }), local.tags)
		44 | 
		45 |   tags = merge(tomap({
		46 |     "Name"     = lower(format("ec2-%s-%s-db", local.application_name, local.environment)),
		47 |     "hostname" = "${local.application_name}-db",
		48 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		49 |   }), local.tags)
		50 | 
		51 |   lifecycle {
		52 |     ignore_changes = [
		53 |       volume_tags,
		54 |       user_data
		55 |     ]
		56 |   }
		57 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_efs_sg
	File: /oem_ec2_db_efs.tf:21-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		21 | resource "aws_security_group" "oem_db_efs_sg" {
		22 |   name_prefix = "${local.application_name}-db-efs-sg-"
		23 |   description = "Allow inbound access from instances"
		24 |   vpc_id      = data.aws_vpc.shared.id
		25 | 
		26 |   tags = merge(tomap(
		27 |     { "Name" = "${local.application_name}-db-efs-sg" }
		28 |   ), local.tags)
		29 | 
		30 |   ingress {
		31 |     protocol    = "tcp"
		32 |     from_port   = 2049
		33 |     to_port     = 2049
		34 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		35 |   }
		36 | 
		37 |   egress {
		38 |     protocol  = "-1"
		39 |     from_port = 0
		40 |     to_port   = 0
		41 |     cidr_blocks = [
		42 |       "0.0.0.0/0",
		43 |     ]
		44 |   }
		45 | 
		46 |   lifecycle {
		47 |     create_before_destroy = true
		48 |   }
		49 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_db_security_group
	File: /oem_ec2_db_sg.tf:1-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oem_wl[0]
	File: /oem_ec2_wl.tf:11-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		11 | resource "aws_instance" "oem_wl" {
		12 |   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
		13 |   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
		14 |   associate_public_ip_address = false
		15 |   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
		16 |   ebs_optimized               = true
		17 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
		18 |   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
		19 |   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
		20 |   monitoring                  = true
		21 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		22 |   user_data_replace_on_change = true
		23 |   user_data = base64encode(templatefile("./templates/oem-user-data-wl.sh", {
		24 |     env_fqdn = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		25 |     hostname = "laa-oem-wl"
		26 |   }))
		27 |   vpc_security_group_ids = [aws_security_group.oem_wl_security_group_1[count.index].id]
		28 | 
		29 |   root_block_device {
		30 |     delete_on_termination = true
		31 |     encrypted             = true
		32 |     iops                  = 3100
		33 |     kms_key_id            = data.aws_kms_key.ebs_shared.arn
		34 |     volume_size           = 12
		35 |     volume_type           = "gp3"
		36 |   }
		37 | 
		38 |   volume_tags = merge(tomap({
		39 |     "Name"                 = "${local.application_name}-wl-root",
		40 |     "volume-attach-host"   = "wl",
		41 |     "volume-attach-device" = "/dev/sda1",
		42 |     "volume-mount-path"    = "/",
		43 |     "volume-backup"        = true
		44 |   }), local.tags)
		45 | 
		46 |   tags = merge(tomap({
		47 |     "Name"     = lower(format("ec2-%s-%s-wl", local.application_name, local.environment)),
		48 |     "hostname" = "${local.application_name}-wl",
		49 |     "env-fqdn" = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		50 |   }), local.tags)
		51 | 
		52 |   lifecycle {
		53 |     ignore_changes = [
		54 |       volume_tags,
		55 |       user_data
		56 |     ]
		57 |   }
		58 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.oem_wl_security_group_1[0]
	File: /oem_ec2_wl_sg.tf:7-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa_oem_shared
	File: /oem_s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa_oem_shared" {
		2 |   bucket = "${local.application_name}-${local.environment}-shared"
		3 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.oem_app
	File: /oem_ec2_app_lb.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_lb" "oem_app" {
		2 |   name               = "lb-${local.application_name}-app"
		3 |   load_balancer_type = "application"
		4 |   internal           = false
		5 |   security_groups    = [aws_security_group.load_balancer_security_group.id]
		6 |   subnets            = data.aws_subnets.shared-public.ids
		7 | 
		8 |   tags = local.tags
		9 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/laa-oem

*****************************

Running tflint in terraform/environments/laa-oem
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/laa-oem

*****************************

Running Trivy in terraform/environments/laa-oem
2024-09-12T12:47:53Z	INFO	[db] Need to update DB
2024-09-12T12:47:53Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-12T12:47:55Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-12T12:47:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-12T12:47:55Z	INFO	Need to update the built-in policies
2024-09-12T12:47:55Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-12T12:47:55Z	INFO	[secret] Secret scanning is enabled
2024-09-12T12:47:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T12:47:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-12T12:47:56Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-12T12:47:56Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-12T12:47:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.laa_cert_validation" value="cty.NilVal"
2024-09-12T12:47:56Z	INFO	Number of language-specific files	num=0
2024-09-12T12:47:56Z	INFO	Detected config files	num=13

oem_ec2_app.tf (terraform)
==========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_app.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_app" {
  11ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_app
  12associate_public_ip_address = false
  13availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14ebs_optimized               = true
  15iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_app
  17key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_app
  18monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_app_efs.tf (terraform)
==============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_efs.tf:41-43
   via oem_ec2_app_efs.tf:37-44 (egress)
    via oem_ec2_app_efs.tf:21-49 (aws_security_group.oem_app_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_app_efs_sg" {
  ..   
  41cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_app_lb.tf (terraform)
=============================
Tests: 21 (SUCCESSES: 15, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app" {
   2name               = "lb-${local.application_name}-app"
   3load_balancer_type = "application"
   4internal           = false
   5security_groups    = [aws_security_group.load_balancer_security_group.id]
   6subnets            = data.aws_subnets.shared-public.ids
   78tags = local.tags
   9 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 oem_ec2_app_lb.tf:4
   via oem_ec2_app_lb.tf:1-9 (aws_lb.oem_app)
────────────────────────────────────────
   1   resource "aws_lb" "oem_app" {
   2     name               = "lb-${local.application_name}-app"
   3     load_balancer_type = "application"
   4 [   internal           = false
   5     security_groups    = [aws_security_group.load_balancer_security_group.id]
   6     subnets            = data.aws_subnets.shared-public.ids
   7   
   8     tags = local.tags
   9   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb.tf:300-302
   via oem_ec2_app_lb.tf:296-303 (egress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:258
   via oem_ec2_app_lb.tf:254-259 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:272
   via oem_ec2_app_lb.tf:268-273 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb.tf:293
   via oem_ec2_app_lb.tf:289-294 (ingress)
    via oem_ec2_app_lb.tf:231-304 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_security_group" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_lb_internal.tf (terraform)
======================================
Tests: 21 (SUCCESSES: 16, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 1, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:1-9
────────────────────────────────────────
   1resource "aws_lb" "oem_app_internal" {
   2 │   name               = "lb-${local.application_name}-app-internal"
   3 │   load_balancer_type = "application"
   4 │   internal           = true
   5 │   security_groups    = [aws_security_group.load_balancer_internal.id]
   6 │   subnets            = data.aws_subnets.shared-private.ids
   78 │   tags = local.tags
   9 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:300-302
   via oem_ec2_app_lb_internal.tf:296-303 (egress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 300 ┌     cidr_blocks = [
 301"0.0.0.0/0",
 302 └     ]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:258
   via oem_ec2_app_lb_internal.tf:254-259 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 258 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:272
   via oem_ec2_app_lb_internal.tf:268-273 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 272 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 oem_ec2_app_lb_internal.tf:293
   via oem_ec2_app_lb_internal.tf:289-294 (ingress)
    via oem_ec2_app_lb_internal.tf:231-304 (aws_security_group.load_balancer_internal)
────────────────────────────────────────
 231   resource "aws_security_group" "load_balancer_internal" {
 ...   
 293 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 304   }
────────────────────────────────────────



oem_ec2_app_sg.tf (terraform)
=============================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_app_sg.tf:14-16
   via oem_ec2_app_sg.tf:10-17 (egress)
    via oem_ec2_app_sg.tf:1-96 (aws_security_group.oem_app_security_group_1)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_app_security_group_1" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  96   }
────────────────────────────────────────



oem_ec2_db.tf (terraform)
=========================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_db.tf:10-57
────────────────────────────────────────
  10resource "aws_instance" "oem_db" {
  11 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_db
  12 │   associate_public_ip_address = false
  13 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  14 │   ebs_optimized               = true
  15 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  16 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_db
  17 │   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_db
  18 └   monitoring                  = true
  ..   
────────────────────────────────────────



oem_ec2_db_efs.tf (terraform)
=============================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_efs.tf:41-43
   via oem_ec2_db_efs.tf:37-44 (egress)
    via oem_ec2_db_efs.tf:21-49 (aws_security_group.oem_db_efs_sg)
────────────────────────────────────────
  21   resource "aws_security_group" "oem_db_efs_sg" {
  ..   
  41 ┌     cidr_blocks = [
  42"0.0.0.0/0",
  43 └     ]
  ..   
  49   }
────────────────────────────────────────



oem_ec2_db_sg.tf (terraform)
============================
Tests: 11 (SUCCESSES: 10, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_db_sg.tf:14-16
   via oem_ec2_db_sg.tf:10-17 (egress)
    via oem_ec2_db_sg.tf:1-88 (aws_security_group.oem_db_security_group)
────────────────────────────────────────
   1   resource "aws_security_group" "oem_db_security_group" {
   .   
  14 ┌     cidr_blocks = [
  15"0.0.0.0/0"
  16 └     ]
  ..   
  88   }
────────────────────────────────────────



oem_ec2_wl.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 oem_ec2_wl.tf:11-58
────────────────────────────────────────
  11 ┌ resource "aws_instance" "oem_wl" {
  12 │   count                       = length(local.application_data.accounts[local.environment].ec2_oem_ami_id_wl) > 0 ? 1 : 0
  13 │   ami                         = local.application_data.accounts[local.environment].ec2_oem_ami_id_wl
  14 │   associate_public_ip_address = false
  15 │   availability_zone           = local.application_data.accounts[local.environment].ec2_zone
  16 │   ebs_optimized               = true
  17 │   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_oem_base.name
  18 │   instance_type               = local.application_data.accounts[local.environment].ec2_oem_instance_type_wl
  19 └   key_name                    = local.application_data.accounts[local.environment].ec2_oem_key_name_wl
  ..   
────────────────────────────────────────



oem_ec2_wl_sg.tf (terraform)
============================
Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 oem_ec2_wl_sg.tf:21-23
   via oem_ec2_wl_sg.tf:17-24 (egress)
    via oem_ec2_wl_sg.tf:7-79 (aws_security_group.oem_wl_security_group_1[0])
────────────────────────────────────────
   7   resource "aws_security_group" "oem_wl_security_group_1" {
   .   
  21 ┌     cidr_blocks = [
  22"0.0.0.0/0"
  23 └     ]
  ..   
  79   }
────────────────────────────────────────



oem_s3.tf (terraform)
=====================
Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 oem_s3.tf:1-3
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa_oem_shared" {
   2 │   bucket = "${local.application_name}-${local.environment}-shared"
   3 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk temporarily deployed to ccms-ebs-upgrade-development September 12, 2024 14:52 — with GitHub Actions Inactive
@mmgovuk mmgovuk temporarily deployed to ccms-ebs-upgrade-test September 12, 2024 14:52 — with GitHub Actions Inactive
@mmgovuk mmgovuk temporarily deployed to ccms-ebs-development September 12, 2024 14:52 — with GitHub Actions Inactive
@mmgovuk mmgovuk marked this pull request as ready for review September 12, 2024 15:37
@mmgovuk mmgovuk requested review from a team as code owners September 12, 2024 15:37
@mmgovuk mmgovuk merged commit 9b8283f into main Sep 12, 2024
31 of 32 checks passed
@mmgovuk mmgovuk deleted the CC-2812/ssm-command-oracle-script branch September 12, 2024 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SahidKhan89 SahidKhan89 SahidKhan89 approved these changes

Assignees

@mmgovuk mmgovuk

Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mmgovuk @SahidKhan89