Added checkov suppression

Author: tnguye001

aws_sra_examples/terraform/common/dynamodb/main.tf

@@ -4,6 +4,8 @@
 ########################################################################
 
 resource "aws_dynamodb_table" "terraform_locks" {
+  #checkov:skip=CKV_AWS_28: Ensure DynamoDB point in time recovery (backup) is enabled 
+  #checkov:skip=CKV_AWS_119: Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK
   name         = var.dynamodb_name
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = "LockID"  

aws_sra_examples/terraform/common/secrets_kms/main.tf

@@ -10,6 +10,8 @@ resource "aws_kms_key" "sra_secrets_key" {
 }
 
 data "aws_iam_policy_document" "sra_secrets_key_policy" {
+  #checkov:skip=CKV_AWS_109: Ensure IAM policies does not allow permissions management without constraints
+  #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
   statement {
     sid       = "Enable IAM User Permissions"
     effect    = "Allow"

aws_sra_examples/terraform/common/sra_execution_role/main.tf

@@ -4,6 +4,7 @@
 ########################################################################
 
 resource "aws_iam_role" "sra_execution_role" {
+  #checkov:skip=CKV_AWS_274:  Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
   name = var.execution_role_name
 
   assume_role_policy = jsonencode({

aws_sra_examples/terraform/common/ssm_parameters/main.tf

@@ -55,6 +55,12 @@ data "archive_file" "zipped_lambda" {
 }
 
 resource "aws_lambda_function" "management_account_parameters" {
+  #checkov:skip=CKV_AWS_272: Ensure AWS Lambda function is configured to validate code-signing
+  #checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) 
+  #checkov:skip=CKV_AWS_173: Check encryption settings for Lambda environment variable
+  #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
+  #checkov:skip=CKV_AWS_50: X-Ray tracing is enabled for Lambda
   function_name    = var.management_account_parameters_lambda_function_name
   source_code_hash = data.archive_file.zipped_lambda.output_base64sha256
   filename         = data.archive_file.zipped_lambda.output_path

aws_sra_examples/terraform/solutions/cloudtrail_org/kms/main.tf

@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: MIT-0
 ########################################################################
 resource "aws_kms_key" "organization_cloudtrail_key" {
+  #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
   description         = "Organization CloudTrail Key"
   enable_key_rotation = true
 

aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf

@@ -51,6 +51,7 @@ resource "aws_iam_role_policy" "cloudtrail_cloudwatch_logs_policy" {
 }
 
 resource "aws_cloudwatch_log_group" "cloudtrail_log_group" {
+  #checkov:skip=CKV_AWS_158: Ensure that CloudWatch Log Group is encrypted by KMS 
   count = var.create_cloudtrail_log_group == "true" ? 1 : 0
 
   name              = "sra/${var.cloudtrail_name}"
@@ -59,6 +60,7 @@ resource "aws_cloudwatch_log_group" "cloudtrail_log_group" {
 }
 
 resource "aws_cloudwatch_log_group" "lambda_log_group" {
+  #checkov:skip=CKV_AWS_158: Ensure that CloudWatch Log Group is encrypted by KMS 
   count = var.create_lambda_log_group == "true" ? 1 : 0
 
   name              = "/aws/lambda/${var.cloudtrail_lambda_function_name}"
@@ -279,6 +281,13 @@ data "archive_file" "zipped_lambda" {
 }
 
 resource "aws_lambda_function" "cloudtrail_org_lambda_function" {
+  #checkov:skip=CKV_AWS_272: Ensure AWS Lambda function is configured to validate code-signing
+  #checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) 
+  #checkov:skip=CKV_AWS_173: Check encryption settings for Lambda environment variable
+  #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
+  #checkov:skip=CKV_AWS_50: X-Ray tracing is enabled for Lambda
+  
   description   = "Creates an Organization CloudTrail"
   function_name = var.cloudtrail_lambda_function_name
   role          = aws_iam_role.cloudtrail_lambda_role.arn

aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf

@@ -137,6 +137,7 @@ resource "aws_s3_bucket_policy" "org_trail_bucket_policy" {
 }
 
 resource "aws_secretsmanager_secret" "org_trail_s3_bucket_secret" {
+  #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
   count = var.sra_secrets_key_alias_arn != "" ? 1 : 0
 
   name        = "sra/cloudtrail_org_s3_bucket"

aws_sra_examples/terraform/solutions/guard_duty/configuration_role/main.tf

@@ -89,6 +89,7 @@ data "aws_iam_policy_document" "guardduty_policy" {
 }
 
 data "aws_iam_policy_document" "iam_policy" {
+  #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
   statement {
     sid       = "AllowReadIamActions"
     effect    = "Allow"

aws_sra_examples/terraform/solutions/guard_duty/gd_configuration/main.tf

@@ -150,6 +150,7 @@ data "aws_iam_policy_document" "sra_guardduty_org_policy_logs" {
 }
 
 data "aws_iam_policy_document" "sra_guardduty_org_policy_organizations" {
+  #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
   statement {
     sid    = "OrganizationsReadAccess"
     effect = "Allow"
@@ -332,6 +333,13 @@ data "archive_file" "zipped_lambda" {
 
 # main function
 resource "aws_lambda_function" "guardduty_lambda_function" {
+  #checkov:skip=CKV_AWS_272: Ensure AWS Lambda function is configured to validate code-signing
+  #checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) 
+  #checkov:skip=CKV_AWS_173: Check encryption settings for Lambda environment variable
+  #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
+  #checkov:skip=CKV_AWS_50: X-Ray tracing is enabled for Lambda
+
   function_name = var.guardduty_lambda_function_name
   description   = "Configure GuardDuty for the Organization"
   role          = aws_iam_role.guardduty_lambda_role.arn
@@ -390,6 +398,7 @@ resource "aws_sns_topic_subscription" "guardduty_topic_subscription" {
 }
 
 resource "aws_sqs_queue" "guardduty_dlq" {
+  #checkov:skip=CKV_AWS_27: Ensure all data stored in the SQS queue is encrypted 
   name = "${var.sra_solution_name}-dlq"
   tags = {
     "sra-solution" = var.sra_solution_name

aws_sra_examples/terraform/solutions/iam_password_policy/configuration/main.tf

@@ -144,6 +144,13 @@ data "archive_file" "zipped_lambda" {
 
 # main function
 resource "aws_lambda_function" "iam_password_policy_lambda_function" {
+  #checkov:skip=CKV_AWS_272: Ensure AWS Lambda function is configured to validate code-signing
+  #checkov:skip=CKV_AWS_116: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) 
+  #checkov:skip=CKV_AWS_173: Check encryption settings for Lambda environment variable
+  #checkov:skip=CKV_AWS_115: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  #checkov:skip=CKV_AWS_117: Ensure that AWS Lambda function is configured inside a VPC
+  #checkov:skip=CKV_AWS_50: X-Ray tracing is enabled for Lambda
+
   function_name = var.lambda_function_name
   description   = "SRA Update IAM password policy"
   role          = aws_iam_role.iam_password_policy_lambda_role.arn