provider "aws" {
region = "ap-northeast-1"
}
resource "aws_s3_bucket" "insecure_bucket" {
bucket = "my-insecure-bucket"
acl = "public-read"
tags = {
Name = "Insecure Bucket"
}
}
resource "aws_security_group" "allow_all" {
name = "allow_all"
description = "Allow all inbound traffic"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 3389
to_port = 3389
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "insecure_instance" {
ami = "ami-0123456789abcdef0"
instance_type = "t2.micro"
metadata_options {
http_tokens = "optional"
}
root_block_device {
encrypted = false
}
tags = {
Name = "Insecure Instance"
}
}
resource "aws_db_instance" "insecure_rds" {
identifier = "insecure-db"
allocated_storage = 20
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
username = "admin"
password = "password123"
publicly_accessible = true
storage_encrypted = false
skip_final_snapshot = true
multi_az = false
tags = {
Name = "Insecure RDS"
}
}
resource "aws_iam_policy" "overly_permissive" {
name = "overly_permissive_policy"
description = "An overly permissive IAM policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = "*"
Resource = "*"
}
]
})
}
resource "aws_lambda_function" "insecure_lambda" {
filename = "lambda.zip"
function_name = "insecure_function"
role = aws_iam_role.lambda_role.arn
handler = "index.handler"
runtime = "nodejs14.x"
environment {
variables = {
API_KEY = "sk-secret-api-key-12345"
}
}
}
resource "aws_iam_role" "lambda_role" {
name = "lambda_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
}
resource "aws_s3_bucket" "no_logging" {
bucket = "bucket-without-logging"
tags = {
Name = "No Logging Bucket"
}
}
resource "aws_ebs_volume" "unencrypted" {
availability_zone = "ap-northeast-1a"
size = 40
encrypted = false
tags = {
Name = "Unencrypted Volume"
}
}
resource "aws_dynamodb_table" "insecure_table" {
name = "insecure-table"
billing_mode = "PAY_PER_REQUEST"
hash_key = "id"
attribute {
name = "id"
type = "S"
}
}
resource "aws_lb" "insecure_alb" {
name = "insecure-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.allow_all.id]
subnets = ["subnet-12345678", "subnet-87654321"]
enable_deletion_protection = false
}(venv) root@k8s-operation-1:~/cks-practice/checkov# checkov -f terraform.tf --quiet
terraform scan results:
Passed checks: 27, Failed checks: 59, Skipped checks: 0
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.allow_all
File: /terraform.tf:14-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382
14 | resource "aws_security_group" "allow_all" {
15 | name = "allow_all"
16 | description = "Allow all inbound traffic"
17 |
18 | ingress {
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
24 |
25 | ingress {
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
31 |
32 | ingress {
33 | from_port = 3389
34 | to_port = 3389
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
38 |
39 | egress {
40 | from_port = 0
41 | to_port = 0
42 | protocol = "-1"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.allow_all
File: /terraform.tf:14-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
14 | resource "aws_security_group" "allow_all" {
15 | name = "allow_all"
16 | description = "Allow all inbound traffic"
17 |
18 | ingress {
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
24 |
25 | ingress {
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
31 |
32 | ingress {
33 | from_port = 3389
34 | to_port = 3389
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
38 |
39 | egress {
40 | from_port = 0
41 | to_port = 0
42 | protocol = "-1"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | }
Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.allow_all
File: /terraform.tf:14-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports
14 | resource "aws_security_group" "allow_all" {
15 | name = "allow_all"
16 | description = "Allow all inbound traffic"
17 |
18 | ingress {
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
24 |
25 | ingress {
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
31 |
32 | ingress {
33 | from_port = 3389
34 | to_port = 3389
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
38 |
39 | egress {
40 | from_port = 0
41 | to_port = 0
42 | protocol = "-1"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.allow_all
File: /terraform.tf:14-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
14 | resource "aws_security_group" "allow_all" {
15 | name = "allow_all"
16 | description = "Allow all inbound traffic"
17 |
18 | ingress {
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
24 |
25 | ingress {
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
31 |
32 | ingress {
33 | from_port = 3389
34 | to_port = 3389
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
38 |
39 | egress {
40 | from_port = 0
41 | to_port = 0
42 | protocol = "-1"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: aws_security_group.allow_all
File: /terraform.tf:14-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2
14 | resource "aws_security_group" "allow_all" {
15 | name = "allow_all"
16 | description = "Allow all inbound traffic"
17 |
18 | ingress {
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
24 |
25 | ingress {
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
31 |
32 | ingress {
33 | from_port = 3389
34 | to_port = 3389
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
38 |
39 | egress {
40 | from_port = 0
41 | to_port = 0
42 | protocol = "-1"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.allow_all
File: /terraform.tf:14-45
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80
14 | resource "aws_security_group" "allow_all" {
15 | name = "allow_all"
16 | description = "Allow all inbound traffic"
17 |
18 | ingress {
19 | from_port = 0
20 | to_port = 0
21 | protocol = "-1"
22 | cidr_blocks = ["0.0.0.0/0"]
23 | }
24 |
25 | ingress {
26 | from_port = 22
27 | to_port = 22
28 | protocol = "tcp"
29 | cidr_blocks = ["0.0.0.0/0"]
30 | }
31 |
32 | ingress {
33 | from_port = 3389
34 | to_port = 3389
35 | protocol = "tcp"
36 | cidr_blocks = ["0.0.0.0/0"]
37 | }
38 |
39 | egress {
40 | from_port = 0
41 | to_port = 0
42 | protocol = "-1"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.insecure_instance
File: /terraform.tf:47-62
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances
47 | resource "aws_instance" "insecure_instance" {
48 | ami = "ami-0123456789abcdef0"
49 | instance_type = "t2.micro"
50 |
51 | metadata_options {
52 | http_tokens = "optional"
53 | }
54 |
55 | root_block_device {
56 | encrypted = false
57 | }
58 |
59 | tags = {
60 | Name = "Insecure Instance"
61 | }
62 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.insecure_instance
File: /terraform.tf:47-62
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
47 | resource "aws_instance" "insecure_instance" {
48 | ami = "ami-0123456789abcdef0"
49 | instance_type = "t2.micro"
50 |
51 | metadata_options {
52 | http_tokens = "optional"
53 | }
54 |
55 | root_block_device {
56 | encrypted = false
57 | }
58 |
59 | tags = {
60 | Name = "Insecure Instance"
61 | }
62 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.insecure_instance
File: /terraform.tf:47-62
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
47 | resource "aws_instance" "insecure_instance" {
48 | ami = "ami-0123456789abcdef0"
49 | instance_type = "t2.micro"
50 |
51 | metadata_options {
52 | http_tokens = "optional"
53 | }
54 |
55 | root_block_device {
56 | encrypted = false
57 | }
58 |
59 | tags = {
60 | Name = "Insecure Instance"
61 | }
62 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.insecure_instance
File: /terraform.tf:47-62
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
47 | resource "aws_instance" "insecure_instance" {
48 | ami = "ami-0123456789abcdef0"
49 | instance_type = "t2.micro"
50 |
51 | metadata_options {
52 | http_tokens = "optional"
53 | }
54 |
55 | root_block_device {
56 | encrypted = false
57 | }
58 |
59 | tags = {
60 | Name = "Insecure Instance"
61 | }
62 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_63: "Ensure no IAM policies documents allow "*" as a statement's actions"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-48
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_62: "Ensure IAM policies that allow full "*-*" administrative privileges are not created"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.insecure_lambda
File: /terraform.tf:98-110
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
98 | resource "aws_lambda_function" "insecure_lambda" {
99 | filename = "lambda.zip"
100 | function_name = "insecure_function"
101 | role = aws_iam_role.lambda_role.arn
102 | handler = "index.handler"
103 | runtime = "nodejs14.x"
104 |
105 | environment {
106 | variables = {
107 | API_KEY = "sk-secret-api-key-12345"
108 | }
109 | }
110 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.insecure_lambda
File: /terraform.tf:98-110
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
98 | resource "aws_lambda_function" "insecure_lambda" {
99 | filename = "lambda.zip"
100 | function_name = "insecure_function"
101 | role = aws_iam_role.lambda_role.arn
102 | handler = "index.handler"
103 | runtime = "nodejs14.x"
104 |
105 | environment {
106 | variables = {
107 | API_KEY = "sk-secret-api-key-12345"
108 | }
109 | }
110 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.insecure_lambda
File: /terraform.tf:98-110
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
98 | resource "aws_lambda_function" "insecure_lambda" {
99 | filename = "lambda.zip"
100 | function_name = "insecure_function"
101 | role = aws_iam_role.lambda_role.arn
102 | handler = "index.handler"
103 | runtime = "nodejs14.x"
104 |
105 | environment {
106 | variables = {
107 | API_KEY = "sk-secret-api-key-12345"
108 | }
109 | }
110 | }
Check: CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
FAILED for resource: aws_lambda_function.insecure_lambda
File: /terraform.tf:98-110
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363
98 | resource "aws_lambda_function" "insecure_lambda" {
99 | filename = "lambda.zip"
100 | function_name = "insecure_function"
101 | role = aws_iam_role.lambda_role.arn
102 | handler = "index.handler"
103 | runtime = "nodejs14.x"
104 |
105 | environment {
106 | variables = {
107 | API_KEY = "sk-secret-api-key-12345"
108 | }
109 | }
110 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.insecure_lambda
File: /terraform.tf:98-110
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
98 | resource "aws_lambda_function" "insecure_lambda" {
99 | filename = "lambda.zip"
100 | function_name = "insecure_function"
101 | role = aws_iam_role.lambda_role.arn
102 | handler = "index.handler"
103 | runtime = "nodejs14.x"
104 |
105 | environment {
106 | variables = {
107 | API_KEY = "sk-secret-api-key-12345"
108 | }
109 | }
110 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.insecure_lambda
File: /terraform.tf:98-110
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
98 | resource "aws_lambda_function" "insecure_lambda" {
99 | filename = "lambda.zip"
100 | function_name = "insecure_function"
101 | role = aws_iam_role.lambda_role.arn
102 | handler = "index.handler"
103 | runtime = "nodejs14.x"
104 |
105 | environment {
106 | variables = {
107 | API_KEY = "sk-secret-api-key-12345"
108 | }
109 | }
110 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.insecure_lambda
File: /terraform.tf:98-110
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
98 | resource "aws_lambda_function" "insecure_lambda" {
99 | filename = "lambda.zip"
100 | function_name = "insecure_function"
101 | role = aws_iam_role.lambda_role.arn
102 | handler = "index.handler"
103 | runtime = "nodejs14.x"
104 |
105 | environment {
106 | variables = {
107 | API_KEY = "sk-secret-api-key-12345"
108 | }
109 | }
110 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: aws_ebs_volume.unencrypted
File: /terraform.tf:137-145
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume
137 | resource "aws_ebs_volume" "unencrypted" {
138 | availability_zone = "ap-northeast-1a"
139 | size = 40
140 | encrypted = false
141 |
142 | tags = {
143 | Name = "Unencrypted Volume"
144 | }
145 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.unencrypted
File: /terraform.tf:137-145
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109
137 | resource "aws_ebs_volume" "unencrypted" {
138 | availability_zone = "ap-northeast-1a"
139 | size = 40
140 | encrypted = false
141 |
142 | tags = {
143 | Name = "Unencrypted Volume"
144 | }
145 | }
Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.insecure_table
File: /terraform.tf:147-156
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6
147 | resource "aws_dynamodb_table" "insecure_table" {
148 | name = "insecure-table"
149 | billing_mode = "PAY_PER_REQUEST"
150 | hash_key = "id"
151 |
152 | attribute {
153 | name = "id"
154 | type = "S"
155 | }
156 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.insecure_table
File: /terraform.tf:147-156
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-52
147 | resource "aws_dynamodb_table" "insecure_table" {
148 | name = "insecure-table"
149 | billing_mode = "PAY_PER_REQUEST"
150 | hash_key = "id"
151 |
152 | attribute {
153 | name = "id"
154 | type = "S"
155 | }
156 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.insecure_alb
File: /terraform.tf:158-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
158 | resource "aws_lb" "insecure_alb" {
159 | name = "insecure-alb"
160 | internal = false
161 | load_balancer_type = "application"
162 | security_groups = [aws_security_group.allow_all.id]
163 | subnets = ["subnet-12345678", "subnet-87654321"]
164 |
165 | enable_deletion_protection = false
166 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.insecure_alb
File: /terraform.tf:158-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150
158 | resource "aws_lb" "insecure_alb" {
159 | name = "insecure-alb"
160 | internal = false
161 | load_balancer_type = "application"
162 | security_groups = [aws_security_group.allow_all.id]
163 | subnets = ["subnet-12345678", "subnet-87654321"]
164 |
165 | enable_deletion_protection = false
166 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.insecure_alb
File: /terraform.tf:158-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
158 | resource "aws_lb" "insecure_alb" {
159 | name = "insecure-alb"
160 | internal = false
161 | load_balancer_type = "application"
162 | security_groups = [aws_security_group.allow_all.id]
163 | subnets = ["subnet-12345678", "subnet-87654321"]
164 |
165 | enable_deletion_protection = false
166 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.insecure_rds
File: /terraform.tf:64-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60
64 | resource "aws_db_instance" "insecure_rds" {
65 | identifier = "insecure-db"
66 | allocated_storage = 20
67 | engine = "mysql"
68 | engine_version = "5.7"
69 | instance_class = "db.t2.micro"
70 | username = "admin"
71 | password = "password123"
72 | publicly_accessible = true
73 | storage_encrypted = false
74 | skip_final_snapshot = true
75 | multi_az = false
76 |
77 | tags = {
78 | Name = "Insecure RDS"
79 | }
80 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.no_logging
File: /terraform.tf:129-135
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
129 | resource "aws_s3_bucket" "no_logging" {
130 | bucket = "bucket-without-logging"
131 |
132 | tags = {
133 | Name = "No Logging Bucket"
134 | }
135 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.no_logging
File: /terraform.tf:129-135
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
129 | resource "aws_s3_bucket" "no_logging" {
130 | bucket = "bucket-without-logging"
131 |
132 | tags = {
133 | Name = "No Logging Bucket"
134 | }
135 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.no_logging
File: /terraform.tf:129-135
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
129 | resource "aws_s3_bucket" "no_logging" {
130 | bucket = "bucket-without-logging"
131 |
132 | tags = {
133 | Name = "No Logging Bucket"
134 | }
135 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.no_logging
File: /terraform.tf:129-135
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
129 | resource "aws_s3_bucket" "no_logging" {
130 | bucket = "bucket-without-logging"
131 |
132 | tags = {
133 | Name = "No Logging Bucket"
134 | }
135 | }
Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access."
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-1-acl-read-permissions-everyone
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.no_logging
File: /terraform.tf:129-135
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
129 | resource "aws_s3_bucket" "no_logging" {
130 | bucket = "bucket-without-logging"
131 |
132 | tags = {
133 | Name = "No Logging Bucket"
134 | }
135 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.insecure_alb
File: /terraform.tf:158-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf
158 | resource "aws_lb" "insecure_alb" {
159 | name = "insecure-alb"
160 | internal = false
161 | load_balancer_type = "application"
162 | security_groups = [aws_security_group.allow_all.id]
163 | subnets = ["subnet-12345678", "subnet-87654321"]
164 |
165 | enable_deletion_protection = false
166 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.no_logging
File: /terraform.tf:129-135
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
129 | resource "aws_s3_bucket" "no_logging" {
130 | bucket = "bucket-without-logging"
131 |
132 | tags = {
133 | Name = "No Logging Bucket"
134 | }
135 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.insecure_instance
File: /terraform.tf:47-62
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance
47 | resource "aws_instance" "insecure_instance" {
48 | ami = "ami-0123456789abcdef0"
49 | instance_type = "t2.micro"
50 |
51 | metadata_options {
52 | http_tokens = "optional"
53 | }
54 |
55 | root_block_device {
56 | encrypted = false
57 | }
58 |
59 | tags = {
60 | Name = "Insecure Instance"
61 | }
62 | }
Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
FAILED for resource: aws_iam_policy.overly_permissive
File: /terraform.tf:82-96
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40
82 | resource "aws_iam_policy" "overly_permissive" {
83 | name = "overly_permissive_policy"
84 | description = "An overly permissive IAM policy"
85 |
86 | policy = jsonencode({
87 | Version = "2012-10-17"
88 | Statement = [
89 | {
90 | Effect = "Allow"
91 | Action = "*"
92 | Resource = "*"
93 | }
94 | ]
95 | })
96 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.insecure_bucket
File: /terraform.tf:5-12
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "insecure_bucket" {
6 | bucket = "my-insecure-bucket"
7 | acl = "public-read"
8 |
9 | tags = {
10 | Name = "Insecure Bucket"
11 | }
12 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.no_logging
File: /terraform.tf:129-135
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
129 | resource "aws_s3_bucket" "no_logging" {
130 | bucket = "bucket-without-logging"
131 |
132 | tags = {
133 | Name = "No Logging Bucket"
134 | }
135 | }
secrets scan results:
Passed checks: 0, Failed checks: 2, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: cbfdac6008f9cab4083784cbd1874f76618d2a97
File: /terraform.tf:71-72
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6
71 | password = "pa**********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 71e0a037aef841e4bbf40e20985801944de5550b
File: /terraform.tf:107-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6
107 | API_KEY = "sk-se**********"