CC-4519: Add GuardDuty Slack alerting for APEX accounts

[srikanththummala0470]

Summary

• Implements GuardDuty findings → SNS → Lambda → Slack alerting pipeline for all APEX environments (development, test, preproduction, production)
• Routes findings to laa-alerts-guardduty-nonprod (non-prod) or laa-alerts-guardduty-prod (production) Slack channels
• Adds GuardDuty Malware Protection Plans for shared, cloudfront, and backup_lambda S3 buckets
• Adds shared S3 bucket (apex-<env>-shared) for Lambda layer delivery with TLS 1.2 enforcement and AES256 encryption

Pre-apply step

Upload the Lambda layer zip to each environment's shared bucket before applying:

s3://apex-<env>-shared/lambda_delivery/cloudwatch_sns_layer/layerV1.zip

See: https://dsdmoj.atlassian.net/wiki/spaces/LDD/pages/5975606239/Build+Layered+Function+for+Lambda

Test plan

• Upload layerV1.zip to apex-development-shared bucket
• Dev plan — no errors
• Dev apply — Lambda function, SNS topic, EventBridge rule, malware protection plans created
• Populate apex-development-guardduty-slack secret with real Slack webhook URLs
• Verify GuardDuty test finding routes to laa-alerts-guardduty-nonprod
• Repeat plan/apply for test, preproduction, production

[github-actions]

---

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/apex
terraform/environments/apex/modules/alb
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
2026-06-08 08:32:58,237 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0): list index out of range
2026-06-08 08:32:58,237 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=474f27a3f9bf542a8826c76fb049cc84b5cf136f): list index out of range
2026-06-08 08:32:58,237 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0): list index out of range
2026-06-08 08:32:58,238 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0): list index out of range
terraform scan results:

Passed checks: 413, Failed checks: 115, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  |
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 |
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 |
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 |
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 |
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 |
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 |
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 |
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 |
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion
	File: /ec2.tf:89-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		89 | resource "aws_vpc_security_group_ingress_rule" "db_bastion" {
		90 |   security_group_id            = aws_security_group.database.id
		91 |   description                  = "Allow Bastion SSH access"
		92 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		93 |   from_port                    = 22
		94 |   ip_protocol                  = "tcp"
		95 |   to_port                      = 22
		96 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		118 |   security_group_id = aws_security_group.database.id
		119 |   cidr_ipv4         = "0.0.0.0/0"
		120 |   ip_protocol       = "-1"
		121 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:148-179
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		148 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		149 |   name = "${local.application_name}-ec2-policy"
		150 |   role = aws_iam_role.ec2_instance_role.id
		151 |   policy = jsonencode({
		152 |     Version = "2012-10-17"
		153 |     Statement = [
		154 |       {
		155 |         Effect = "Allow",
		156 |         Action = [
		157 |           "logs:CreateLogGroup",
		158 |           "logs:CreateLogStream",
		159 |           "logs:DescribeLogStreams",
		160 |           "logs:PutRetentionPolicy",
		161 |           "logs:PutLogEvents",
		162 |           "logs:DescribeLogGroups",
		163 |           "cloudwatch:PutMetricData",
		164 |           "cloudwatch:GetMetricStatistics",
		165 |           "cloudwatch:ListMetrics",
		166 |           "ec2:DescribeInstances",
		167 |         ],
		168 |         Resource = "*"
		169 |       },
		170 |       {
		171 |         Effect = "Allow",
		172 |         Action = [
		173 |           "ec2:CreateTags"
		174 |         ],
		175 |         Resource = "*"
		176 |       }
		177 |     ]
		178 |   })
		179 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:148-179
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		148 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		149 |   name = "${local.application_name}-ec2-policy"
		150 |   role = aws_iam_role.ec2_instance_role.id
		151 |   policy = jsonencode({
		152 |     Version = "2012-10-17"
		153 |     Statement = [
		154 |       {
		155 |         Effect = "Allow",
		156 |         Action = [
		157 |           "logs:CreateLogGroup",
		158 |           "logs:CreateLogStream",
		159 |           "logs:DescribeLogStreams",
		160 |           "logs:PutRetentionPolicy",
		161 |           "logs:PutLogEvents",
		162 |           "logs:DescribeLogGroups",
		163 |           "cloudwatch:PutMetricData",
		164 |           "cloudwatch:GetMetricStatistics",
		165 |           "cloudwatch:ListMetrics",
		166 |           "ec2:DescribeInstances",
		167 |         ],
		168 |         Resource = "*"
		169 |       },
		170 |       {
		171 |         Effect = "Allow",
		172 |         Action = [
		173 |           "ec2:CreateTags"
		174 |         ],
		175 |         Resource = "*"
		176 |       }
		177 |     ]
		178 |   })
		179 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:281-291
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		281 | resource "aws_cloudwatch_log_group" "database" {
		282 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		283 |   retention_in_days = 0
		284 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		285 |   tags = merge(
		286 |     local.tags,
		287 |     {
		288 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		289 |     }
		290 |   )
		291 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:306-316
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		306 | resource "aws_cloudwatch_log_group" "pmon_status" {
		307 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		308 |   retention_in_days = 0
		309 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		310 |   tags = merge(
		311 |     local.tags,
		312 |     {
		313 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		314 |     }
		315 |   )
		316 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.cloudwatch_sns_encryption
	File: /guardduty.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		25 | data "aws_iam_policy_document" "cloudwatch_sns_encryption" {
		26 |   version = "2012-10-17"
		27 |   statement {
		28 |     sid    = "AllowCloudWatchSNSUseOfTheKey"
		29 |     effect = "Allow"
		30 |     principals {
		31 |       type = "Service"
		32 |       identifiers = [
		33 |         "cloudwatch.amazonaws.com",
		34 |         "events.amazonaws.com"
		35 |       ]
		36 |     }
		37 |     actions = [
		38 |       "kms:GenerateDataKey*",
		39 |       "kms:Decrypt"
		40 |     ]
		41 |     resources = ["*"]
		42 |   }
		43 |
		44 |   statement {
		45 |     sid    = "AllowAccountAdmins"
		46 |     effect = "Allow"
		47 |     principals {
		48 |       type        = "AWS"
		49 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		50 |     }
		51 |     actions   = ["kms:*"]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.cloudwatch_sns_encryption
	File: /guardduty.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		25 | data "aws_iam_policy_document" "cloudwatch_sns_encryption" {
		26 |   version = "2012-10-17"
		27 |   statement {
		28 |     sid    = "AllowCloudWatchSNSUseOfTheKey"
		29 |     effect = "Allow"
		30 |     principals {
		31 |       type = "Service"
		32 |       identifiers = [
		33 |         "cloudwatch.amazonaws.com",
		34 |         "events.amazonaws.com"
		35 |       ]
		36 |     }
		37 |     actions = [
		38 |       "kms:GenerateDataKey*",
		39 |       "kms:Decrypt"
		40 |     ]
		41 |     resources = ["*"]
		42 |   }
		43 |
		44 |   statement {
		45 |     sid    = "AllowAccountAdmins"
		46 |     effect = "Allow"
		47 |     principals {
		48 |       type        = "AWS"
		49 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		50 |     }
		51 |     actions   = ["kms:*"]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_sns_encryption
	File: /guardduty.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		25 | data "aws_iam_policy_document" "cloudwatch_sns_encryption" {
		26 |   version = "2012-10-17"
		27 |   statement {
		28 |     sid    = "AllowCloudWatchSNSUseOfTheKey"
		29 |     effect = "Allow"
		30 |     principals {
		31 |       type = "Service"
		32 |       identifiers = [
		33 |         "cloudwatch.amazonaws.com",
		34 |         "events.amazonaws.com"
		35 |       ]
		36 |     }
		37 |     actions = [
		38 |       "kms:GenerateDataKey*",
		39 |       "kms:Decrypt"
		40 |     ]
		41 |     resources = ["*"]
		42 |   }
		43 |
		44 |   statement {
		45 |     sid    = "AllowAccountAdmins"
		46 |     effect = "Allow"
		47 |     principals {
		48 |       type        = "AWS"
		49 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		50 |     }
		51 |     actions   = ["kms:*"]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.cloudwatch_sns_alerts_key
	File: /guardduty.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		6  | resource "aws_kms_key" "cloudwatch_sns_alerts_key" {
		7  |   description             = "KMS Key for CloudWatch SNS Alerts Encryption"
		8  |   deletion_window_in_days = 30
		9  |
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("%s-%s-cloudwatch-sns-alerts-kms-key", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.guardduty_slack_secret
	File: /guardduty.tf:124-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		124 | resource "aws_secretsmanager_secret" "guardduty_slack_secret" {
		125 |   name                    = "${local.application_name}-${local.environment}-guardduty-slack"
		126 |   description             = "Slack webhook URLs for GuardDuty and CloudWatch alerts (laa-alerts-guardduty-nonprod or laa-alerts-guardduty-prod)"
		127 |   recovery_window_in_days = local.is-production ? 30 : 0
		128 |
		129 |   tags = merge(local.tags, {
		130 |     Name = "${local.application_name}-${local.environment}-guardduty-slack"
		131 |   })
		132 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 |
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 |
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 |
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 |
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 |
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 |
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 |
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 |
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 |
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 |
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 |
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 |
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 |
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 |
		279 |   container_definitions = var.task_definition
		280 |
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  |
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 |
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 |
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 |
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 |
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 |
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 |
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 |
		373 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 |
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 |
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:181-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		181 | resource "aws_ebs_volume" "u01-orahome" {
		182 |   availability_zone = "eu-west-2a"
		183 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		184 |   type              = "gp3"
		185 |   encrypted         = true
		186 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		187 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		188 |   lifecycle {
		189 |     ignore_changes = [kms_key_id]
		190 |   }
		191 |   tags = merge(
		192 |     local.tags,
		193 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		194 |     { "backup" = "false" }
		195 |   )
		196 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:203-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		203 | resource "aws_ebs_volume" "u02-oradata" {
		204 |   availability_zone = "eu-west-2a"
		205 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		206 |   type              = "gp3"
		207 |   encrypted         = true
		208 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		209 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		210 |   lifecycle {
		211 |     ignore_changes = [kms_key_id]
		212 |   }
		213 |   tags = merge(
		214 |     local.tags,
		215 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		216 |     { "backup" = "false" }
		217 |   )
		218 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:228-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		228 | resource "aws_ebs_volume" "u03-redo" {
		229 |   availability_zone = "eu-west-2a"
		230 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		231 |   type              = "gp3"
		232 |   encrypted         = true
		233 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		234 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		235 |   lifecycle {
		236 |     ignore_changes = [kms_key_id]
		237 |   }
		238 |   tags = merge(
		239 |     local.tags,
		240 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		241 |     { "backup" = "false" }
		242 |   )
		243 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:250-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		250 | resource "aws_ebs_volume" "u04-arch" {
		251 |   availability_zone = "eu-west-2a"
		252 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		253 |   type              = "gp3"
		254 |   encrypted         = true
		255 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		256 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		257 |   lifecycle {
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 |   tags = merge(
		261 |     local.tags,
		262 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		263 |     { "backup" = "false" }
		264 |   )
		265 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.guardduty_slack_secret
	File: /guardduty.tf:124-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		124 | resource "aws_secretsmanager_secret" "guardduty_slack_secret" {
		125 |   name                    = "${local.application_name}-${local.environment}-guardduty-slack"
		126 |   description             = "Slack webhook URLs for GuardDuty and CloudWatch alerts (laa-alerts-guardduty-nonprod or laa-alerts-guardduty-prod)"
		127 |   recovery_window_in_days = local.is-production ? 30 : 0
		128 |
		129 |   tags = merge(local.tags, {
		130 |     Name = "${local.application_name}-${local.environment}-guardduty-slack"
		131 |   })
		132 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  |
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 |
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 |
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 |
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 |
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 |
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/apex/modules/alb
2026-06-08 08:33:03,501 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0): list index out of range
terraform scan results:

Passed checks: 28, Failed checks: 4, Skipped checks: 3

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /main.tf:96-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.cloudfront
	File: /main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.external_lb
	File: /main.tf:427-437
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 |
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.cloudfront
	File: /main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/apex
2026-06-08 08:33:07,434 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0): list index out of range
2026-06-08 08:33:07,434 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=474f27a3f9bf542a8826c76fb049cc84b5cf136f): list index out of range
2026-06-08 08:33:07,434 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0): list index out of range
2026-06-08 08:33:07,434 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0): list index out of range
terraform scan results:

Passed checks: 413, Failed checks: 115, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  |
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 |
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 |
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 |
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 |
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 |
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 |
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 |
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 |
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion
	File: /ec2.tf:89-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		89 | resource "aws_vpc_security_group_ingress_rule" "db_bastion" {
		90 |   security_group_id            = aws_security_group.database.id
		91 |   description                  = "Allow Bastion SSH access"
		92 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		93 |   from_port                    = 22
		94 |   ip_protocol                  = "tcp"
		95 |   to_port                      = 22
		96 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		118 |   security_group_id = aws_security_group.database.id
		119 |   cidr_ipv4         = "0.0.0.0/0"
		120 |   ip_protocol       = "-1"
		121 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:148-179
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		148 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		149 |   name = "${local.application_name}-ec2-policy"
		150 |   role = aws_iam_role.ec2_instance_role.id
		151 |   policy = jsonencode({
		152 |     Version = "2012-10-17"
		153 |     Statement = [
		154 |       {
		155 |         Effect = "Allow",
		156 |         Action = [
		157 |           "logs:CreateLogGroup",
		158 |           "logs:CreateLogStream",
		159 |           "logs:DescribeLogStreams",
		160 |           "logs:PutRetentionPolicy",
		161 |           "logs:PutLogEvents",
		162 |           "logs:DescribeLogGroups",
		163 |           "cloudwatch:PutMetricData",
		164 |           "cloudwatch:GetMetricStatistics",
		165 |           "cloudwatch:ListMetrics",
		166 |           "ec2:DescribeInstances",
		167 |         ],
		168 |         Resource = "*"
		169 |       },
		170 |       {
		171 |         Effect = "Allow",
		172 |         Action = [
		173 |           "ec2:CreateTags"
		174 |         ],
		175 |         Resource = "*"
		176 |       }
		177 |     ]
		178 |   })
		179 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:148-179
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		148 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		149 |   name = "${local.application_name}-ec2-policy"
		150 |   role = aws_iam_role.ec2_instance_role.id
		151 |   policy = jsonencode({
		152 |     Version = "2012-10-17"
		153 |     Statement = [
		154 |       {
		155 |         Effect = "Allow",
		156 |         Action = [
		157 |           "logs:CreateLogGroup",
		158 |           "logs:CreateLogStream",
		159 |           "logs:DescribeLogStreams",
		160 |           "logs:PutRetentionPolicy",
		161 |           "logs:PutLogEvents",
		162 |           "logs:DescribeLogGroups",
		163 |           "cloudwatch:PutMetricData",
		164 |           "cloudwatch:GetMetricStatistics",
		165 |           "cloudwatch:ListMetrics",
		166 |           "ec2:DescribeInstances",
		167 |         ],
		168 |         Resource = "*"
		169 |       },
		170 |       {
		171 |         Effect = "Allow",
		172 |         Action = [
		173 |           "ec2:CreateTags"
		174 |         ],
		175 |         Resource = "*"
		176 |       }
		177 |     ]
		178 |   })
		179 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:281-291
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		281 | resource "aws_cloudwatch_log_group" "database" {
		282 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		283 |   retention_in_days = 0
		284 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		285 |   tags = merge(
		286 |     local.tags,
		287 |     {
		288 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		289 |     }
		290 |   )
		291 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:306-316
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		306 | resource "aws_cloudwatch_log_group" "pmon_status" {
		307 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		308 |   retention_in_days = 0
		309 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		310 |   tags = merge(
		311 |     local.tags,
		312 |     {
		313 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		314 |     }
		315 |   )
		316 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.cloudwatch_sns_alerts_key
	File: /guardduty.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		6  | resource "aws_kms_key" "cloudwatch_sns_alerts_key" {
		7  |   description             = "KMS Key for CloudWatch SNS Alerts Encryption"
		8  |   deletion_window_in_days = 30
		9  |
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("%s-%s-cloudwatch-sns-alerts-kms-key", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.guardduty_slack_secret
	File: /guardduty.tf:124-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		124 | resource "aws_secretsmanager_secret" "guardduty_slack_secret" {
		125 |   name                    = "${local.application_name}-${local.environment}-guardduty-slack"
		126 |   description             = "Slack webhook URLs for GuardDuty and CloudWatch alerts (laa-alerts-guardduty-nonprod or laa-alerts-guardduty-prod)"
		127 |   recovery_window_in_days = local.is-production ? 30 : 0
		128 |
		129 |   tags = merge(local.tags, {
		130 |     Name = "${local.application_name}-${local.environment}-guardduty-slack"
		131 |   })
		132 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.guardduty_slack_notify
	File: /guardduty.tf:221-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		221 | resource "aws_lambda_function" "guardduty_slack_notify" {
		222 |   filename         = data.archive_file.guardduty_lambda_zip.output_path
		223 |   source_code_hash = base64sha256(join("", local.lambda_source_hashes))
		224 |   function_name    = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		225 |   role             = aws_iam_role.lambda_guardduty_sns_role.arn
		226 |   handler          = "lambda_function.lambda_handler"
		227 |   layers           = [aws_lambda_layer_version.guardduty_sns_layer.arn]
		228 |   runtime          = "python3.13"
		229 |   timeout          = 30
		230 |   publish          = true
		231 |
		232 |   environment {
		233 |     variables = {
		234 |       SECRET_NAME = aws_secretsmanager_secret.guardduty_slack_secret.name
		235 |     }
		236 |   }
		237 |
		238 |   tracing_config {
		239 |     mode = "Active"
		240 |   }
		241 |
		242 |   tags = merge(local.tags, {
		243 |     Name = "${local.application_name}-${local.environment}-guardduty-slack-notify"
		244 |   })
		245 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.cloudwatch_sns_encryption
	File: /guardduty.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		25 | data "aws_iam_policy_document" "cloudwatch_sns_encryption" {
		26 |   version = "2012-10-17"
		27 |   statement {
		28 |     sid    = "AllowCloudWatchSNSUseOfTheKey"
		29 |     effect = "Allow"
		30 |     principals {
		31 |       type = "Service"
		32 |       identifiers = [
		33 |         "cloudwatch.amazonaws.com",
		34 |         "events.amazonaws.com"
		35 |       ]
		36 |     }
		37 |     actions = [
		38 |       "kms:GenerateDataKey*",
		39 |       "kms:Decrypt"
		40 |     ]
		41 |     resources = ["*"]
		42 |   }
		43 |
		44 |   statement {
		45 |     sid    = "AllowAccountAdmins"
		46 |     effect = "Allow"
		47 |     principals {
		48 |       type        = "AWS"
		49 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		50 |     }
		51 |     actions   = ["kms:*"]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.cloudwatch_sns_encryption
	File: /guardduty.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		25 | data "aws_iam_policy_document" "cloudwatch_sns_encryption" {
		26 |   version = "2012-10-17"
		27 |   statement {
		28 |     sid    = "AllowCloudWatchSNSUseOfTheKey"
		29 |     effect = "Allow"
		30 |     principals {
		31 |       type = "Service"
		32 |       identifiers = [
		33 |         "cloudwatch.amazonaws.com",
		34 |         "events.amazonaws.com"
		35 |       ]
		36 |     }
		37 |     actions = [
		38 |       "kms:GenerateDataKey*",
		39 |       "kms:Decrypt"
		40 |     ]
		41 |     resources = ["*"]
		42 |   }
		43 |
		44 |   statement {
		45 |     sid    = "AllowAccountAdmins"
		46 |     effect = "Allow"
		47 |     principals {
		48 |       type        = "AWS"
		49 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		50 |     }
		51 |     actions   = ["kms:*"]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_sns_encryption
	File: /guardduty.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		25 | data "aws_iam_policy_document" "cloudwatch_sns_encryption" {
		26 |   version = "2012-10-17"
		27 |   statement {
		28 |     sid    = "AllowCloudWatchSNSUseOfTheKey"
		29 |     effect = "Allow"
		30 |     principals {
		31 |       type = "Service"
		32 |       identifiers = [
		33 |         "cloudwatch.amazonaws.com",
		34 |         "events.amazonaws.com"
		35 |       ]
		36 |     }
		37 |     actions = [
		38 |       "kms:GenerateDataKey*",
		39 |       "kms:Decrypt"
		40 |     ]
		41 |     resources = ["*"]
		42 |   }
		43 |
		44 |   statement {
		45 |     sid    = "AllowAccountAdmins"
		46 |     effect = "Allow"
		47 |     principals {
		48 |       type        = "AWS"
		49 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		50 |     }
		51 |     actions   = ["kms:*"]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 |
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 |
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 |
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 |
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 |
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 |
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 |
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 |
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 |
		291 |
		292 |
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 |
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 |
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 |
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 |
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 |
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 |
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 |
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 |
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 |
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 |
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 |
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 |
		279 |   container_definitions = var.task_definition
		280 |
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  |
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 |
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 |
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 |
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 |
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 |
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 |
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 |
		373 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 |
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 |
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:181-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		181 | resource "aws_ebs_volume" "u01-orahome" {
		182 |   availability_zone = "eu-west-2a"
		183 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		184 |   type              = "gp3"
		185 |   encrypted         = true
		186 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		187 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		188 |   lifecycle {
		189 |     ignore_changes = [kms_key_id]
		190 |   }
		191 |   tags = merge(
		192 |     local.tags,
		193 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		194 |     { "backup" = "false" }
		195 |   )
		196 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:203-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		203 | resource "aws_ebs_volume" "u02-oradata" {
		204 |   availability_zone = "eu-west-2a"
		205 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		206 |   type              = "gp3"
		207 |   encrypted         = true
		208 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		209 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		210 |   lifecycle {
		211 |     ignore_changes = [kms_key_id]
		212 |   }
		213 |   tags = merge(
		214 |     local.tags,
		215 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		216 |     { "backup" = "false" }
		217 |   )
		218 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:228-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		228 | resource "aws_ebs_volume" "u03-redo" {
		229 |   availability_zone = "eu-west-2a"
		230 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		231 |   type              = "gp3"
		232 |   encrypted         = true
		233 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		234 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		235 |   lifecycle {
		236 |     ignore_changes = [kms_key_id]
		237 |   }
		238 |   tags = merge(
		239 |     local.tags,
		240 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		241 |     { "backup" = "false" }
		242 |   )
		243 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:250-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		250 | resource "aws_ebs_volume" "u04-arch" {
		251 |   availability_zone = "eu-west-2a"
		252 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		253 |   type              = "gp3"
		254 |   encrypted         = true
		255 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		256 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		257 |   lifecycle {
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 |   tags = merge(
		261 |     local.tags,
		262 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		263 |     { "backup" = "false" }
		264 |   )
		265 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.guardduty_slack_secret
	File: /guardduty.tf:124-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		124 | resource "aws_secretsmanager_secret" "guardduty_slack_secret" {
		125 |   name                    = "${local.application_name}-${local.environment}-guardduty-slack"
		126 |   description             = "Slack webhook URLs for GuardDuty and CloudWatch alerts (laa-alerts-guardduty-nonprod or laa-alerts-guardduty-prod)"
		127 |   recovery_window_in_days = local.is-production ? 30 : 0
		128 |
		129 |   tags = merge(local.tags, {
		130 |     Name = "${local.application_name}-${local.environment}-guardduty-slack"
		131 |   })
		132 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  |
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 |
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 |
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 |
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 |
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 |
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=3

---

TFLint Scan Success

Show Output

*****************************

Using default config
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint checking:
terraform/environments/apex
terraform/environments/apex/modules/alb
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
8 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/s3-lambda-delivery.tf line 53:
  53:         Resource = ["${module.s3-bucket-shared.bucket.arn}/*", "${module.s3-bucket-shared.bucket.arn}"],

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/versions.tf line 11:
  11:     archive = {
  12:       source = "hashicorp/archive"
  13:     }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/apex/modules/alb
3 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/modules/alb/main.tf line 270:
 270: resource "random_password" "cloudfront" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/modules/alb/main.tf line 301:
 301: resource "null_resource" "always_run" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/environments/apex/modules/alb/variables.tf line 123:
 123: variable "environment" {}

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/apex
8 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/s3-lambda-delivery.tf line 53:
  53:         Resource = ["${module.s3-bucket-shared.bucket.arn}/*", "${module.s3-bucket-shared.bucket.arn}"],

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/versions.tf line 11:
  11:     archive = {
  12:       source = "hashicorp/archive"
  13:     }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=6