ministryofjustice / modernisation-platform-environments

Modernisation platform environments • This repository is defined and managed in Terraform
MIT License
35 stars 20 forks source link

Update_291024_1 #8488

Closed nbuckingham72 closed 18 hours ago

nbuckingham72 commented 19 hours ago

Updated python scripts with correct alarm name, re-enabled lambda code signing on the two alarm functions.

github-actions[bot] commented 18 hours ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/ppud ***************************** Running Trivy in terraform/environments/ppud 2024-10-29T08:30:34Z INFO [vulndb] Need to update DB 2024-10-29T08:30:34Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T08:30:34Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T08:30:37Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T08:30:37Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T08:30:37Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T08:30:37Z INFO [misconfig] Need to update the built-in checks 2024-10-29T08:30:37Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T08:30:37Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 46.104µs, allowed: 44000/minute\n\n" 2024-10-29T08:30:37Z INFO [secret] Secret scanning is enabled 2024-10-29T08:30:37Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T08:30:37Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T08:30:38Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T08:30:39Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-behavior-detected" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-out-of-date" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-update-failed" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-scan-failed" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-signature-update-failed" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-state-detected" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal" 2024-10-29T08:30:39Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:899-906" 2024-10-29T08:30:39Z INFO Number of language-specific files num=0 2024-10-29T08:30:39Z INFO Detected config files num=6 alb_external.tf (terraform) =========================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── alb_external.tf:90 via alb_external.tf:86-106 (aws_lb.WAM-ALB) ──────────────────────────────────────── 86 resource "aws_lb" "WAM-ALB" { .. 90 [ internal = false ... 106 } ──────────────────────────────────────── s3.tf (terraform) ================= Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Bucket does not have encryption enabled ════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/ppud ***************************** Running Checkov in terraform/environments/ppud Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-29 08:30:42,658 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-29 08:30:42,658 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 1009, Failed checks: 19, Skipped checks: 146 Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.WAM-ALB File: /alb_external.tf:86-106 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 86 | resource "aws_lb" "WAM-ALB" { 87 | # checkov:skip=CKV2_AWS_28: "ALB is already protected by WAF" 88 | # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required" 89 | name = local.application_data.accounts[local.environment].WAM_ALB 90 | internal = false 91 | load_balancer_type = "application" 92 | security_groups = [aws_security_group.WAM-ALB.id] 93 | subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id] 94 | # access_logs { 95 | # bucket = aws_s3_bucket.moj-log-files-dev[0].id 96 | # prefix = "alb-logs" 97 | # enabled = true 98 | # } 99 | 100 | enable_deletion_protection = true 101 | drop_invalid_header_fields = true 102 | 103 | tags = { 104 | Name = "${var.networking[0].business-unit}-${local.environment}" 105 | } 106 | } Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol" FAILED for resource: aws_lb_target_group.WAM-Target-Group File: /alb_external.tf:150-170 150 | resource "aws_lb_target_group" "WAM-Target-Group" { 151 | name = "WAM" 152 | port = 80 153 | protocol = "HTTP" 154 | vpc_id = data.aws_vpc.shared.id 155 | 156 | health_check { 157 | enabled = true 158 | path = "/" 159 | interval = 30 160 | protocol = "HTTP" 161 | port = 80 162 | timeout = 5 163 | healthy_threshold = 5 164 | unhealthy_threshold = 2 165 | matcher = "302" 166 | } 167 | tags = { 168 | Name = "${var.networking[0].business-unit}-${local.environment}" 169 | } 170 | } Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.PPUD-internal-ALB File: /alb_internal.tf:5-26 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 5 | resource "aws_lb" "PPUD-internal-ALB" { 6 | # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required" 7 | count = local.is-development == false ? 1 : 0 8 | name = local.application_data.accounts[local.environment].PPUD_Internal_ALB 9 | internal = true 10 | idle_timeout = 240 11 | load_balancer_type = "application" 12 | security_groups = [aws_security_group.PPUD-ALB.id] 13 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 14 | # access_logs { 15 | # bucket = aws_s3_bucket.moj-log-files-uat[0].id 16 | # prefix = "alb-logs" 17 | # enabled = true 18 | # } 19 | 20 | enable_deletion_protection = true 21 | drop_invalid_header_fields = true 22 | 23 | tags = { 24 | Name = "${var.networking[0].business-unit}-${local.environment}" 25 | } 26 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_dev File: /certificate_mgmt.tf:16-41 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 16 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_dev" { 17 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 18 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 19 | count = local.is-development == true ? 1 : 0 20 | filename = "${path.module}/lambda_scripts/certificate_expiry_dev.zip" 21 | function_name = "certificate_expiry_dev" 22 | role = aws_iam_role.lambda_role_certificate_expiry_dev[0].arn 23 | handler = "certificate_expiry_dev.lambda_handler" 24 | runtime = "python3.8" 25 | timeout = 30 26 | reserved_concurrent_executions = 5 27 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 28 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_dev] 29 | environment { 30 | variables = { 31 | EXPIRY_DAYS = "45", 32 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:075585660276:ec2_cloudwatch_alarms" 33 | } 34 | } 35 | dead_letter_config { 36 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 37 | } 38 | tracing_config { 39 | mode = "Active" 40 | } 41 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_uat File: /certificate_mgmt.tf:94-119 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 94 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_uat" { 95 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 96 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 97 | count = local.is-preproduction == true ? 1 : 0 98 | filename = "${path.module}/lambda_scripts/certificate_expiry_uat.zip" 99 | function_name = "certificate_expiry_uat" 100 | role = aws_iam_role.lambda_role_certificate_expiry_uat[0].arn 101 | handler = "certificate_expiry_uat.lambda_handler" 102 | runtime = "python3.8" 103 | timeout = 30 104 | reserved_concurrent_executions = 5 105 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 106 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_uat] 107 | environment { 108 | variables = { 109 | EXPIRY_DAYS = "45", 110 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:172753231260:ppud-uat-cw-alerts" 111 | } 112 | } 113 | dead_letter_config { 114 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 115 | } 116 | tracing_config { 117 | mode = "Active" 118 | } 119 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_prod File: /certificate_mgmt.tf:172-197 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 172 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_prod" { 173 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 174 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 175 | count = local.is-production == true ? 1 : 0 176 | filename = "${path.module}/lambda_scripts/certificate_expiry_prod.zip" 177 | function_name = "certificate_expiry_prod" 178 | role = aws_iam_role.lambda_role_certificate_expiry_prod[0].arn 179 | handler = "certificate_expiry_prod.lambda_handler" 180 | runtime = "python3.8" 181 | timeout = 30 182 | reserved_concurrent_executions = 5 183 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 184 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_prod] 185 | environment { 186 | variables = { 187 | EXPIRY_DAYS = "45", 188 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:817985104434:ppud-prod-cw-alerts" 189 | } 190 | } 191 | dead_letter_config { 192 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 193 | } 194 | tracing_config { 195 | mode = "Active" 196 | } 197 | } Check: CKV_AWS_123: "Ensure that VPC Endpoint Service is configured for Manual Acceptance" FAILED for resource: aws_vpc_endpoint_service.HomeOffice File: /endpointservice.tf:1-8 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-vpc-endpoint-service-is-configured-for-manual-acceptance 1 | resource "aws_vpc_endpoint_service" "HomeOffice" { 2 | count = local.is-production == true ? 1 : 0 3 | acceptance_required = false 4 | network_load_balancer_arns = [aws_lb.ppud_internal_nlb[0].arn] 5 | tags = { 6 | Name = "HomeOffice-Endpoint" 7 | } 8 | } Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.ppud_internal_nlb File: /endpointservice.tf:16-35 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 16 | resource "aws_lb" "ppud_internal_nlb" { 17 | # checkov:skip=CKV2_AWS_28: "ALB is already protected by WAF" 18 | # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required" 19 | count = local.is-production == true ? 1 : 0 20 | name = "ppud-internal-nlb" 21 | internal = true 22 | load_balancer_type = "network" 23 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 24 | security_groups = [aws_security_group.PPUD-ALB.id] 25 | enable_deletion_protection = true 26 | #access_logs { 27 | # bucket = aws_s3_bucket.moj-log-files-prod[0].id 28 | # prefix = "alb-logs" 29 | # enabled = true 30 | #} 31 | 32 | tags = { 33 | Name = "${var.networking[0].business-unit}-${local.environment}" 34 | } 35 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_stop File: /lambda.tf:23-40 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 23 | resource "aws_lambda_function" "terraform_lambda_func_stop" { 24 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 25 | count = local.is-production == true ? 1 : 0 26 | filename = "${path.module}/stop-instance/StopEC2Instances.zip" 27 | function_name = "stop_Lambda_Function" 28 | role = aws_iam_role.lambda_role[0].arn 29 | handler = "StopEC2Instances.lambda_handler" 30 | runtime = "python3.9" 31 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] 32 | reserved_concurrent_executions = 5 33 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 34 | dead_letter_config { 35 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 36 | } 37 | tracing_config { 38 | mode = "Active" 39 | } 40 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_start File: /lambda.tf:42-59 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 42 | resource "aws_lambda_function" "terraform_lambda_func_start" { 43 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 44 | count = local.is-production == true ? 1 : 0 45 | filename = "${path.module}/start-instance/StartEC2Instances.zip" 46 | function_name = "start_Lambda_Function" 47 | role = aws_iam_role.lambda_role[0].arn 48 | handler = "StartEC2Instances.lambda_handler" 49 | runtime = "python3.9" 50 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] 51 | reserved_concurrent_executions = 5 52 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 53 | dead_letter_config { 54 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 55 | } 56 | tracing_config { 57 | mode = "Active" 58 | } 59 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev File: /lambda.tf:246-264 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 246 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" { 247 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 248 | count = local.is-development == true ? 1 : 0 249 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip" 250 | function_name = "terminate_cpu_process" 251 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn 252 | handler = "terminate_cpu_process_dev.lambda_handler" 253 | runtime = "python3.12" 254 | timeout = 300 255 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] 256 | reserved_concurrent_executions = 5 257 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 258 | dead_letter_config { 259 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 260 | } 261 | tracing_config { 262 | mode = "Active" 263 | } 264 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat File: /lambda.tf:288-306 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 288 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" { 289 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 290 | count = local.is-preproduction == true ? 1 : 0 291 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip" 292 | function_name = "terminate_cpu_process" 293 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn 294 | handler = "terminate_cpu_process_uat.lambda_handler" 295 | runtime = "python3.12" 296 | timeout = 300 297 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] 298 | reserved_concurrent_executions = 5 299 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 300 | dead_letter_config { 301 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 302 | } 303 | tracing_config { 304 | mode = "Active" 305 | } 306 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod File: /lambda.tf:330-348 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 330 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" { 331 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 332 | count = local.is-production == true ? 1 : 0 333 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip" 334 | function_name = "terminate_cpu_process" 335 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn 336 | handler = "terminate_cpu_process_prod.lambda_handler" 337 | runtime = "python3.12" 338 | timeout = 300 339 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] 340 | reserved_concurrent_executions = 5 341 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 342 | dead_letter_config { 343 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 344 | } 345 | tracing_config { 346 | mode = "Active" 347 | } 348 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev File: /lambda.tf:372-390 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 372 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" { 373 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 374 | count = local.is-development == true ? 1 : 0 375 | filename = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip" 376 | function_name = "send_cpu_notification" 377 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn 378 | handler = "send_cpu_notification_dev.lambda_handler" 379 | runtime = "python3.12" 380 | timeout = 300 381 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] 382 | reserved_concurrent_executions = 5 383 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 384 | dead_letter_config { 385 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 386 | } 387 | tracing_config { 388 | mode = "Active" 389 | } 390 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat File: /lambda.tf:414-432 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 414 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" { 415 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 416 | count = local.is-preproduction == true ? 1 : 0 417 | filename = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip" 418 | function_name = "send_cpu_notification" 419 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn 420 | handler = "send_cpu_notification_uat.lambda_handler" 421 | runtime = "python3.12" 422 | timeout = 300 423 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] 424 | reserved_concurrent_executions = 5 425 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 426 | dead_letter_config { 427 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 428 | } 429 | tracing_config { 430 | mode = "Active" 431 | } 432 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod File: /lambda.tf:456-474 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 456 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" { 457 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 458 | count = local.is-production == true ? 1 : 0 459 | filename = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip" 460 | function_name = "send_cpu_notification" 461 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn 462 | handler = "send_cpu_notification_prod.lambda_handler" 463 | runtime = "python3.12" 464 | timeout = 300 465 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] 466 | reserved_concurrent_executions = 5 467 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 468 | dead_letter_config { 469 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 470 | } 471 | tracing_config { 472 | mode = "Active" 473 | } 474 | } Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads" FAILED for resource: aws_s3_bucket_lifecycle_configuration.MoJ-Health-Check-Reports File: /s3.tf:137-160 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300 137 | resource "aws_s3_bucket_lifecycle_configuration" "MoJ-Health-Check-Reports" { 138 | bucket = aws_s3_bucket.MoJ-Health-Check-Reports.id 139 | rule { 140 | id = "Remove-Old-SSM-Health-Check-Reports" 141 | status = "Enabled" 142 | abort_incomplete_multipart_upload { 143 | days_after_initiation = 7 144 | } 145 | 146 | filter { 147 | prefix = "ssm_output/" 148 | } 149 | 150 | noncurrent_version_transition { 151 | noncurrent_days = 183 152 | storage_class = "STANDARD_IA" 153 | } 154 | 155 | transition { 156 | days = 183 157 | storage_class = "STANDARD_IA" 158 | } 159 | } 160 | } Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice File: /secrets.tf:14-17 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" { 15 | name = "AWSADPASS" 16 | recovery_window_in_days = 0 17 | } Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice File: /secrets.tf:14-17 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" { 15 | name = "AWSADPASS" 16 | recovery_window_in_days = 0 17 | } checkov_exitcode=1 ```
#### `CTFLint Scan` Failed
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/ppud ***************************** Running tflint in terraform/environments/ppud Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers) on terraform/environments/ppud/lambda.tf line 478: 478: data "archive_file" "zip_the_send_cpu_notification_code_prod" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/ppud/secrets.tf line 4: 4: resource "random_password" "password" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/ppud ***************************** Running Trivy in terraform/environments/ppud 2024-10-29T08:30:34Z INFO [vulndb] Need to update DB 2024-10-29T08:30:34Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T08:30:34Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T08:30:37Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T08:30:37Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T08:30:37Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T08:30:37Z INFO [misconfig] Need to update the built-in checks 2024-10-29T08:30:37Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T08:30:37Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 46.104µs, allowed: 44000/minute\n\n" 2024-10-29T08:30:37Z INFO [secret] Secret scanning is enabled 2024-10-29T08:30:37Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T08:30:37Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T08:30:38Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T08:30:39Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-behavior-detected" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-out-of-date" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-update-failed" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-scan-failed" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-signature-update-failed" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-state-detected" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal" 2024-10-29T08:30:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal" 2024-10-29T08:30:39Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:899-906" 2024-10-29T08:30:39Z INFO Number of language-specific files num=0 2024-10-29T08:30:39Z INFO Detected config files num=6 alb_external.tf (terraform) =========================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── alb_external.tf:90 via alb_external.tf:86-106 (aws_lb.WAM-ALB) ──────────────────────────────────────── 86 resource "aws_lb" "WAM-ALB" { .. 90 [ internal = false ... 106 } ──────────────────────────────────────── s3.tf (terraform) ================= Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Bucket does not have encryption enabled ════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── trivy_exitcode=1 ```