Skip to content

[ Testing ] Add Checkov.io to testing regime #308

Open
Open
[ Testing ] Add Checkov.io to testing regime#308
@gwright99

Description

@gwright99
gwright99
opened on Dec 13, 2025

Background

Tasks

  • Figure out policies necessary to configure adequate coverage.

Example

   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By Prisma Cloud | version: 3.2.495 

terraform_plan scan results:

Passed checks: 10, Failed checks: 6, Skipped checks: 0

Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider"
	PASSED for resource: aws.default
	File: /plan.tfplan.json:0-1
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-5
Check: CKV_AWS_227: "Ensure KMS key is enabled"
	PASSED for resource: module.s3_bucket.aws_kms_key.kmskey
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-key-management-service-kms-key-is-enabled
Check: CKV_AWS_33: "Ensure KMS key policy does not contain wildcard (*) principal"
	PASSED for resource: module.s3_bucket.aws_kms_key.kmskey
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-kms-key-policy-does-not-contain-wildcard-principal
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	PASSED for resource: module.s3_bucket.aws_kms_key.kmskey
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)"
	PASSED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-24
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	PASSED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access."
	PASSED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-2-acl-write-permissions-everyone
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
	PASSED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-14-data-encrypted-at-rest
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	PASSED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access."
	PASSED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-1-acl-read-permissions-everyone
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: module.s3_bucket.aws_kms_key.kmskey
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.s3_bucket.aws_s3_bucket.s3_bucket_example
	File: /plan.tfplan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions