More checkov scans supression

tknguyen · tknguyen · commit 519403af947d · 2024-02-08T16:04:07.000-06:00
diff --git a/aws_sra_examples/terraform/common/s3/main.tf b/aws_sra_examples/terraform/common/s3/main.tf
@@ -4,6 +4,11 @@
 ########################################################################
 
 resource "aws_s3_bucket" "sra_state_bucket" {
+  #checkov:skip=CKV2_AWS_61: Ensure that an S3 bucket has a lifecycle configuration
+  #checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled
+  #checkov:skip=CKV2_AWS_62: Ensure S3 buckets should have event notifications enabled
+  #checkov:skip=CKV_AWS_144: Ensure that S3 bucket has cross-region replication enabled
+  
   bucket        = "${var.sra_state_bucket_prefix}-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}"
   force_destroy = true
 
@@ -31,6 +36,7 @@ resource "aws_s3_bucket_versioning" "sra_state_bucket_versioning" {
 }
 
 resource "aws_s3_bucket_ownership_controls" "sra_state_bucket_ownership_control" {
+  #checkov:skip=CKV2_AWS_65: Ensure access control lists for S3 buckets are disabled
   bucket = aws_s3_bucket.sra_state_bucket.id
   rule {
     object_ownership = "BucketOwnerPreferred"
diff --git a/aws_sra_examples/terraform/common/secrets_kms/main.tf b/aws_sra_examples/terraform/common/secrets_kms/main.tf
@@ -12,6 +12,8 @@ resource "aws_kms_key" "sra_secrets_key" {
 data "aws_iam_policy_document" "sra_secrets_key_policy" {
   #checkov:skip=CKV_AWS_109: Ensure IAM policies does not allow permissions management without constraints
   #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+  
   statement {
     sid       = "Enable IAM User Permissions"
     effect    = "Allow"
diff --git a/aws_sra_examples/terraform/common/ssm_parameters/main.tf b/aws_sra_examples/terraform/common/ssm_parameters/main.tf
@@ -136,6 +136,8 @@ data "aws_iam_policy_document" "cloudwatch_policy" {
 }
 
 data "aws_iam_policy_document" "management_account_parameters_lambda_ssm_policy" {
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+  
   statement {
     sid    = "STSOrganizationRead"
     effect = "Allow"
diff --git a/aws_sra_examples/terraform/solutions/cloudtrail_org/kms/main.tf b/aws_sra_examples/terraform/solutions/cloudtrail_org/kms/main.tf
@@ -95,6 +95,8 @@ resource "aws_kms_alias" "organization_cloudtrail_key_alias" {
 }
 
 resource "aws_secretsmanager_secret" "organization_cloudtrail_key_secret" {
+  #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
+  #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
   count = var.secrets_key_alias_arn != "" ? 1 : 0
 
   name        = "sra/cloudtrail-org-key-arn"
diff --git a/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf b/aws_sra_examples/terraform/solutions/cloudtrail_org/org/main.tf
@@ -111,6 +111,8 @@ resource "aws_iam_role_policy" "cloudtrail_log_group_policy" {
 }
 
 resource "aws_iam_role_policy" "cloudtrail_policy" {
+  #checkov:skip=CKV_AWS_290: Ensure IAM policies does not allow write access without constraints
+
   name = "sra-cloudtrail-org-policy-cloudtrail"
   role = aws_iam_role.cloudtrail_lambda_role.id
 
diff --git a/aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf b/aws_sra_examples/terraform/solutions/cloudtrail_org/s3/main.tf
@@ -3,6 +3,10 @@
 # SPDX-License-Identifier: MIT-0
 ########################################################################
 resource "aws_s3_bucket" "org_trail_bucket" {
+  #checkov:skip=CKV2_AWS_61: Ensure that an S3 bucket has a lifecycle configuration
+  #checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled
+  #checkov:skip=CKV2_AWS_62: Ensure S3 buckets should have event notifications enabled
+  #checkov:skip=CKV_AWS_144: Ensure that S3 bucket has cross-region replication enabled
   bucket = "${var.bucket_name_prefix}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
 
   tags = {
@@ -41,6 +45,7 @@ resource "aws_s3_bucket_public_access_block" "this" {
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {
+  #checkov:skip=CKV2_AWS_65: Ensure access control lists for S3 buckets are disabled
   bucket = aws_s3_bucket.org_trail_bucket.id
 
   rule {
@@ -138,6 +143,8 @@ resource "aws_s3_bucket_policy" "org_trail_bucket_policy" {
 
 resource "aws_secretsmanager_secret" "org_trail_s3_bucket_secret" {
   #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
+  #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
+  
   count = var.sra_secrets_key_alias_arn != "" ? 1 : 0
 
   name        = "sra/cloudtrail_org_s3_bucket"
diff --git a/aws_sra_examples/terraform/solutions/guard_duty/configuration_role/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/configuration_role/main.tf
@@ -90,6 +90,7 @@ data "aws_iam_policy_document" "guardduty_policy" {
 
 data "aws_iam_policy_document" "iam_policy" {
   #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
   statement {
     sid       = "AllowReadIamActions"
     effect    = "Allow"
diff --git a/aws_sra_examples/terraform/solutions/guard_duty/kms_key/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/kms_key/main.tf
@@ -3,6 +3,10 @@
 # SPDX-License-Identifier: MIT-0
 ########################################################################
 data "aws_iam_policy_document" "kms_policy" {
+  #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+  #checkov:skip=CKV_AWS_109: Ensure IAM policies does not allow permissions management / resource exposure without constraints
+
   statement {
     sid       = "EnableIAMUserPermissions"
     effect    = "Allow"
@@ -88,6 +92,8 @@ resource "aws_kms_alias" "guardduty_delivery_key_alias" {
 }
 
 resource "aws_secretsmanager_secret" "guardduty_delivery_key_secret" {
+  #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
+  
   count       = var.create_secret ? 1 : 0
   name        = "sra/guardduty_org_delivery_key_arn"
   description = "GuardDuty Delivery KMS Key ARN"
diff --git a/aws_sra_examples/terraform/solutions/guard_duty/s3/main.tf b/aws_sra_examples/terraform/solutions/guard_duty/s3/main.tf
@@ -4,6 +4,10 @@
 ########################################################################
 
 resource "aws_s3_bucket" "guardduty_delivery_bucket" {
+  #checkov:skip=CKV2_AWS_61: Ensure that an S3 bucket has a lifecycle configuration
+  #checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled
+  #checkov:skip=CKV2_AWS_62: Ensure S3 buckets should have event notifications enabled
+  #checkov:skip=CKV_AWS_144: Ensure that S3 bucket has cross-region replication enabled
   bucket        = "${var.guardduty_org_delivery_bucket_prefix}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
   force_destroy = true
 
@@ -31,6 +35,7 @@ resource "aws_s3_bucket_versioning" "guardduty_versioning" {
 }
 
 resource "aws_s3_bucket_ownership_controls" "guardduty_ownership_control" {
+  #checkov:skip=CKV2_AWS_65: Ensure access control lists for S3 buckets are disabled
   bucket = aws_s3_bucket.guardduty_delivery_bucket.id
   rule {
     object_ownership = "BucketOwnerPreferred"
diff --git a/aws_sra_examples/terraform/solutions/macie/delivery_kms_key/main.tf b/aws_sra_examples/terraform/solutions/macie/delivery_kms_key/main.tf
@@ -91,6 +91,9 @@ resource "aws_kms_alias" "macie_delivery_key_alias" {
 }
 
 resource "aws_secretsmanager_secret" "macie_delivery_key_secret" {
+  #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK
+  #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
+  
   count       = var.secrets_key_alias_arn != "" ? 1 : 0
   name        = "sra/macie_org_delivery_key_arn"
   description = "Macie Delivery KMS Key ARN"
diff --git a/aws_sra_examples/terraform/solutions/macie/delivery_s3_bucket/main.tf b/aws_sra_examples/terraform/solutions/macie/delivery_s3_bucket/main.tf
@@ -3,6 +3,10 @@
 # SPDX-License-Identifier: MIT-0
 ########################################################################
 resource "aws_s3_bucket" "macie_delivery_s3_bucket" {
+  #checkov:skip=CKV2_AWS_61: Ensure that an S3 bucket has a lifecycle configuration
+  #checkov:skip=CKV_AWS_18: Ensure the S3 bucket has access logging enabled
+  #checkov:skip=CKV2_AWS_62: Ensure S3 buckets should have event notifications enabled
+  #checkov:skip=CKV_AWS_144: Ensure that S3 bucket has cross-region replication enabled
   bucket = "${var.macie_delivery_bucket_prefix}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
 
   tags = {
@@ -41,6 +45,7 @@ resource "aws_s3_bucket_public_access_block" "this" {
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {
+  #checkov:skip=CKV2_AWS_65: Ensure access control lists for S3 buckets are disabled
   bucket = aws_s3_bucket.macie_delivery_s3_bucket.id
 
   rule {
diff --git a/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf b/aws_sra_examples/terraform/solutions/register_delegated_administrator/register_admin/main.tf
@@ -54,6 +54,9 @@ data "aws_iam_policy_document" "register_delegated_admin_policy_logs" {
 }
 
 data "aws_iam_policy_document" "register_delegated_admin_policy_organizations" {
+  #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+
   version = "2012-10-17"
 
   statement {
diff --git a/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf b/aws_sra_examples/terraform/solutions/security_hub/configuration/main.tf
@@ -68,6 +68,9 @@ data "aws_iam_policy_document" "security_hub_org_policy_ssm_access" {
 }
 
 data "aws_iam_policy_document" "security_hub_org_policy_securityhub" {
+  #checkov:skip=CKV_AWS_111: Ensure IAM policies does not allow write access without constraints
+  #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions
+
   statement {
     sid    = "SecurityHubNoResource"
     effect = "Allow"

Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,8 @@ data "aws_iam_policy_document" "cloudwatch_policy" {`
`136`	`136`	`}`
`137`	`137`
`138`	`138`	`data "aws_iam_policy_document" "management_account_parameters_lambda_ssm_policy" {`
	`139`	`+ #checkov:skip=CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions`
	`140`	`+`
`139`	`141`	`statement {`
`140`	`142`	`sid = "STSOrganizationRead"`
`141`	`143`	`effect = "Allow"`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,8 @@ resource "aws_kms_alias" "organization_cloudtrail_key_alias" {`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`resource "aws_secretsmanager_secret" "organization_cloudtrail_key_secret" {`
	`98`	`+ #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK`
	`99`	`+ #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled`
`98`	`100`	`count = var.secrets_key_alias_arn != "" ? 1 : 0`
`99`	`101`
`100`	`102`	`name = "sra/cloudtrail-org-key-arn"`
Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,8 @@ resource "aws_iam_role_policy" "cloudtrail_log_group_policy" {`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`resource "aws_iam_role_policy" "cloudtrail_policy" {`
	`114`	`+ #checkov:skip=CKV_AWS_290: Ensure IAM policies does not allow write access without constraints`
	`115`	`+`
`114`	`116`	`name = "sra-cloudtrail-org-policy-cloudtrail"`
`115`	`117`	`role = aws_iam_role.cloudtrail_lambda_role.id`
`116`	`118`
Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,9 @@ resource "aws_kms_alias" "macie_delivery_key_alias" {`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`resource "aws_secretsmanager_secret" "macie_delivery_key_secret" {`
	`94`	`+ #checkov:skip=CKV_AWS_149: Ensure that Secrets Manager secret is encrypted using KMS CMK`
	`95`	`+ #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled`
	`96`	`+`
`94`	`97`	`count = var.secrets_key_alias_arn != "" ? 1 : 0`
`95`	`98`	`name = "sra/macie_org_delivery_key_arn"`
`96`	`99`	`description = "Macie Delivery KMS Key ARN"`