Updates IMDS & ECR encryption syntax | tfsec/chekov ignores |

No actual changes are being made; I verified the console settings and hard coded the syntax in TF.

For IMDS, enabling the 'enforce' feature on most of the EC2 fleet will break Salt state that has a file source of s3://*. We'd definitely prefer to have imdsv2 if we could, but it's not safe to turn on in our environment at this time. Most changes concerning syntax placement for tfsec / checkov ignores.

aws_instance should activate session tokens for Instance Metadata Service. Instance does not require IMDS access to require a token

ID             - aws-ec2-enforce-http-token-imds
Severity   - High
Impact     - Instance metadata service can be interacted with freely
Resolution - Enable HTTP token requirement for IMDS

tfsec      - https://aquasecurity.github.io/tfsec/v1.26.3/checks/aws/ec2/enforce-http-token-imds/
checkov - https://docs.bridgecrew.io/docs/bc_aws_general_31
AWS       - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

**Verified that all ECR Repos are already encrypted; syntax updated in TF only.**

ECR Repository should use customer managed keys to allow more control. Repository is not encrypted using KMS.

ID         - aws-ecr-repository-customer-key
Severity   - Low
Impact     - Using AWS managed keys does not allow for fine grained control
Resolution - Use customer managed keys

tfsec   - https://aquasecurity.github.io/tfsec/v1.26.3/checks/aws/ecr/repository-customer-key/
checkov - https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted
AWS     - https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html

To be tagged as v5.1.12

base/CA_Infrastructure/root_CA/audit_bucket.tf

@@ -1,4 +1,7 @@
 resource "aws_s3_bucket" "audit_reports" {
+  # checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption
+	# checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
+	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
   provider = aws.c2 # The reports go in the c2 bucket
   bucket   = "xdr-ca-audit-reports"
 
@@ -26,14 +29,14 @@ resource "aws_s3_bucket_acl" "s3_acl_audit_reports" {
 #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
 #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
 #}
-
+# tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_audit_reports" {
   provider = aws.c2
   bucket   = aws_s3_bucket.audit_reports.id
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
+      sse_algorithm = "AES256"
     }
   }
 }

base/CA_Infrastructure/root_CA/crl.tf

@@ -1,6 +1,14 @@
-#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
-#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# tfsec:ignore:aws-s3-block-public-acls 
+# tfsec:ignore:aws-s3-specify-public-access-block
+# tfsec:ignore:aws-s3-block-public-policy 
+# tfsec:ignore:aws-s3-ignore-public-acls
+# tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
 resource "aws_s3_bucket" "crl" {
+	# checkov:skip=CKV_AWS_144: Cross-region replication TODO
+	# checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption
+	# checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
+	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
   bucket = "xdr-root-crl"
 
   tags = merge(local.standard_tags, var.tags)
@@ -40,12 +48,13 @@ resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_crl" {
   }
 }
 
+# tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_crl" {
   bucket = aws_s3_bucket.crl.id
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
+      sse_algorithm = "AES256"
     }
   }
 }

base/CA_Infrastructure/subordinate_CAs/crl.tf

@@ -1,6 +1,13 @@
-#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls 
-#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# tfsec:ignore:aws-s3-block-public-acls 
+# tfsec:ignore:aws-s3-specify-public-access-block 
+# tfsec:ignore:aws-s3-block-public-policy 
+# tfsec:ignore:aws-s3-ignore-public-acls 
+# tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
 resource "aws_s3_bucket" "crl" {
+	# checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption
+	# checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
+	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
   provider = aws.common # COMMON SERVICES
   bucket   = "xdr-subordinate-crl"
 
@@ -43,13 +50,14 @@ resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_subordinate_crl" {
   }
 }
 
+# tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_subordinate_crl" {
   provider = aws.common
   bucket   = aws_s3_bucket.crl.id
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
+      sse_algorithm = "AES256"
     }
   }
 }

base/account_standards/config.tf

@@ -16,7 +16,7 @@ data "aws_iam_policy_document" "awsconfig" {
     effect  = "Allow"
     actions = ["s3:PutObject"]
     resources = [
-      #tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
+      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
     ]
     condition {
@@ -30,7 +30,7 @@ data "aws_iam_policy_document" "awsconfig" {
     effect  = "Allow"
     actions = ["s3:GetBucketAcl"]
     resources = [
-      #tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
+      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "arn:${var.aws_partition}:s3:::xdr-config-${local.logging_environment}/*",
     ]
   }
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "awsconfig" {
     sid    = "PermissionsForRuleChecks"
     effect = "Allow"
     actions = [
-      #tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
+      # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
       "kms:DescribeKey"
     ]
     resources = ["*"]

base/account_standards/iam.tf

@@ -67,7 +67,7 @@ data "aws_iam_policy_document" "default_instance_policy_s3_binaries_doc" {
   statement {
     sid       = "GetFromTheBucket"
     effect    = "Allow"
-    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}/*"] #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
+    resources = ["arn:${var.aws_partition}:s3:::${var.binaries_bucket}/*"] # tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
 
     actions = [
       "s3:GetObject",

base/aws_client_vpn/security-groups.tf

@@ -10,7 +10,7 @@ resource "aws_security_group_rule" "vpn-in-443-tcp" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -19,7 +19,7 @@ resource "aws_security_group_rule" "vpn-in-443-udp" {
   from_port         = 443
   to_port           = 443
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -28,7 +28,7 @@ resource "aws_security_group_rule" "vpn-in-1194-tcp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -37,7 +37,7 @@ resource "aws_security_group_rule" "vpn-in-1194-udp" {
   from_port         = 1194
   to_port           = 1194
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }
 
@@ -46,6 +46,6 @@ resource "aws_security_group_rule" "vpn-out" {
   from_port         = -1
   to_port           = -1
   protocol          = -1
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.vpn_access.id
 }

base/bastion/main.tf

@@ -23,6 +23,7 @@ resource "aws_network_interface" "instance" {
 }
 
 resource "aws_eip" "instance" {
+	# checkov:skip=CKV2_AWS_19: EIPs are attached to VPC
   vpc  = true
   tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
 }
@@ -33,16 +34,23 @@ resource "aws_eip_association" "instance" {
 }
 
 resource "aws_instance" "instance" {
-  #availability_zone = var.azs[count.index % 2]
+  # availability_zone = var.azs[count.index % 2]
   tenancy                              = "default"
   ebs_optimized                        = true
   disable_api_termination              = var.instance_termination_protection
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "t3a.medium"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
@@ -194,6 +202,9 @@ data "template_cloudinit_config" "cloud-init" {
   #}
 }
 
+#----------------------------------------------------------------------------
+# Bastion Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "bastion_security_group" {
   name        = "bastion_security_group"
   description = "Security Group for Bastion Server(s)"
@@ -201,8 +212,12 @@ resource "aws_security_group" "bastion_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "ssh-in" {
   type              = "ingress"
+  description       = "SSH - Inbound"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
@@ -233,6 +248,7 @@ resource "aws_security_group_rule" "ssh-in" {
 
 resource "aws_security_group_rule" "ssh-out" {
   type              = "egress"
+  description       = "SSH - Outbound"
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
@@ -240,9 +256,13 @@ resource "aws_security_group_rule" "ssh-out" {
   security_group_id = aws_security_group.bastion_security_group.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 # Bastion can access any port internally
 resource "aws_security_group_rule" "bastion-out-all-ports" {
   type              = "egress"
+  description       = "Bastion can access any port internally - Outbound"
   protocol          = "all"
   from_port         = -1
   to_port           = -1
@@ -253,18 +273,20 @@ resource "aws_security_group_rule" "bastion-out-all-ports" {
 # Bastion gets http/https out to the internet. Most hosts need to use the proxy
 resource "aws_security_group_rule" "http-out" {
   type              = "egress"
+  description       = "Bastion HTTP - Outbound"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.bastion_security_group.id
 }
 
 resource "aws_security_group_rule" "https-out" {
   type              = "egress"
+  description       = "Bastion HTTPS - Outbound"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.bastion_security_group.id
 }

base/codebuild_ecr_base/s3.tf

@@ -1,7 +1,9 @@
-#S3 bucket for codebuild output
-#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
-#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# S3 bucket for codebuild output
+# tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
+# tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "artifacts" {
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
+	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
   bucket        = "xdr-codebuild-artifacts"
   force_destroy = true
 }

base/codebuild_ecr_customer_portal/main.tf

@@ -39,28 +39,42 @@ resource "aws_codebuild_project" "this_no_artifact" {
   lifecycle { ignore_changes = [project_visibility] }
 }
 
+# image_tag_mutability = "IMMUTABLE" 
+# MSOCI-2182 - This breaks the push process for new changes to the portal servers.
+# The codebuild code depends on being able to tag a new image with the latest tag.
+# tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
 resource "aws_ecr_repository" "this-server" {
-  name                 = "portal_server"
-  # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
-  # image_tag_mutability = "IMMUTABLE" 
-  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
-  # The codebuild code depends on being able to tag a new image with the latest tag.
-
+	# checkov:skip=CKV_AWS_136: Risk is low for AES-256 encryption
+  # checkov:skip=CKV_AWS_51: see tfsec explanation above
+  name = "portal_server"
+  
   image_scanning_configuration {
     scan_on_push = true
   }
+
+# tfsec:ignore:aws-ecr-repository-customer-key Risk is low for AES-256 encryption
+  encryption_configuration {
+        encryption_type = "AES256"
+  }
 }
 
+# image_tag_mutability = "IMMUTABLE" 
+# MSOCI-2182 - This breaks the push process for new changes to the portal servers.
+# The codebuild code depends on being able to tag a new image with the latest tag.
+# tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
 resource "aws_ecr_repository" "this-nginx" {
-  name                 = "django_nginx"
-  # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
-  # image_tag_mutability = "IMMUTABLE" 
-  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
-  # The codebuild code depends on being able to tag a new image with the latest tag.
-
+  # checkov:skip=CKV_AWS_136: Risk is low for AES-256 encryption
+  # checkov:skip=CKV_AWS_51: see tfsec explanation above
+  name = "django_nginx"
+  
   image_scanning_configuration {
     scan_on_push = true
   }
+
+# tfsec:ignore:aws-ecr-repository-customer-key Risk is low for AES-256 encryption
+  encryption_configuration {
+        encryption_type = "AES256"
+  }
 }
 
 data "aws_iam_policy_document" "ecr_cross_account_policy" {

base/codebuild_ecr_project/main.tf

@@ -41,18 +41,29 @@ resource "aws_codebuild_project" "this_no_artifact" {
   lifecycle { ignore_changes = [project_visibility] }
 }
 
+# image_tag_mutability = "IMMUTABLE" 
+# MSOCI-2182 - This breaks the push process for new changes to the portal servers.
+# The codebuild code depends on being able to tag a new image with the latest tag.
+# tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
 resource "aws_ecr_repository" "this" {
+  # checkov:skip=CKV_AWS_136: Risk is low for AES-256 encryption
+	# checkov:skip=CKV_AWS_51: see tfsec explanation above
   name = var.name
 
   image_scanning_configuration {
     scan_on_push = true
   }
+
+# tfsec:ignore:aws-ecr-repository-customer-key Risk is low for AES-256 encryption
+  encryption_configuration {
+        encryption_type = "AES256"
+  }
 }
 
 data "aws_iam_policy_document" "ecr_cross_account_policy" {
   statement {
-    sid    = "ECRWrite"
-    effect = "Allow"
+    sid     = "ECRWrite"
+    effect  = "Allow"
     actions = [
       "ecr:GetAuthorizationToken",
       "ecr:GetDownloadUrlForLayer",
@@ -73,8 +84,8 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
   }
   # Allow codebuild access
   statement {
-    sid    = "CodeBuildAccessPrincipal"
-    effect = "Allow"
+    sid     = "CodeBuildAccessPrincipal"
+    effect  = "Allow"
 
     actions = [
       "ecr:GetDownloadUrlForLayer",
@@ -103,11 +114,11 @@ resource "aws_codebuild_webhook" "this" {
   project_name  = var.name
   branch_filter = var.webhook_branch_filter
 
-  depends_on = [aws_codebuild_project.this_no_artifact]
+  depends_on    = [aws_codebuild_project.this_no_artifact]
 }
 
 resource "github_repository_webhook" "this" {
-  count = var.enable_webhooks ? 1 : 0
+  count      = var.enable_webhooks ? 1 : 0
 
   active     = true
   events     = ["push"]

base/codebuild_lcp_magic_machine/security-group.tf

@@ -27,7 +27,7 @@ resource "aws_security_group_rule" "this" {
 
 resource "aws_security_group_rule" "allow_outbound_mm" {
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -45,7 +45,7 @@ resource "aws_security_group" "codebuild" {
 
 resource "aws_security_group_rule" "allow_outbound" {
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"

base/customer_portal/elb.tf

@@ -5,7 +5,7 @@
 resource "aws_alb" "portal" {
   name                       = "portal-alb-${var.environment}"
   security_groups            = [aws_security_group.customer_portal_alb.id, ]
-  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   subnets                    = var.public_subnets
   load_balancer_type         = "application"
   drop_invalid_header_fields = true

base/customer_portal/main.tf

@@ -27,6 +27,14 @@ resource "aws_launch_template" "customer_portal" {
   tags          = merge(local.standard_tags, var.instance_tags, var.tags)
   key_name      = "msoc-build"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    # tfsec:ignore:aws-autoscaling-enforce-http-token-imds
+    http_tokens   = "optional"
+  }
+
   iam_instance_profile {
     name = aws_iam_instance_profile.portal_server_instance_profile.name
   }
@@ -226,27 +234,34 @@ data "template_cloudinit_config" "cloud-init" {
 #   tags = merge(local.standard_tags, var.tags, )
 # }
 
-#------------------------------------
-# Security Groups
-#------------------------------------
-
+#----------------------------------------------------------------------------
+# Portal Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "customer_portal" {
   name        = "customer_portal_http_inbound_sg"
   description = "Allow Customer Portal HTTP Inbound From ALB"
   vpc_id      = var.vpc_id
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "customer_portal" {
-  protocol                 = "tcp"
   type                     = "ingress"
+  description              = "HTTPS - Inbound"
   from_port                = 443
   to_port                  = 443
+  protocol                 = "tcp"
   security_group_id        = aws_security_group.customer_portal.id
   source_security_group_id = aws_security_group.customer_portal_alb.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "customer_portal_postgres_outbound" {
   type                     = "egress"
+  description              = "Postgres - Outbound"
   from_port                = 5432
   to_port                  = 5432
   protocol                 = "tcp"
@@ -256,28 +271,31 @@ resource "aws_security_group_rule" "customer_portal_postgres_outbound" {
 
 resource "aws_security_group_rule" "customer_portal_http_outbound" {
   type              = "egress"
+  description       = "HTTP - Outbound"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.customer_portal.id
 }
 
 resource "aws_security_group_rule" "customer_portal_https_outbound" {
   type              = "egress"
+  description       = "HTTPS - Outbound"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.customer_portal.id
 }
 
 resource "aws_security_group_rule" "customer_portal_smtps_outbound" {
   type              = "egress"
+  description       = "SMTPS - Outbound"
   from_port         = 465
   to_port           = 465
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.customer_portal.id
 }
 

base/customer_portal/rds.tf

@@ -55,6 +55,7 @@ resource "aws_security_group_rule" "customer_portal_postgres_inbound" {
   security_group_id = aws_security_group.postgres.id
 
   type        = "ingress"
+  description = "Inbound Postgres"
   from_port   = 5432
   to_port     = 5432
   protocol    = "tcp"

base/customer_portal_lambda/sqs.tf

@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "sqs_kms_policy" {
       "kms:GenerateDataKey",
       "kms:Decrypt"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
+    # tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
     resources = ["*"]
   }
   # allow account to modify/manage key

base/dns/resolver_instance/main.tf

@@ -22,6 +22,7 @@ resource "aws_network_interface" "instance" {
 }
 
 resource "aws_eip" "instance" {
+	# checkov:skip=CKV2_AWS_19: EIPs are attached to VPC
   vpc  = true
   tags = merge(local.standard_tags, var.tags, { Name = local.instance_name })
 }
@@ -39,9 +40,15 @@ resource "aws_instance" "instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "t3a.xlarge"
   key_name                             = var.resolver_instance_key_name
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
+  iam_instance_profile                 = "msoc-default-instance-profile"
 
-  iam_instance_profile = "msoc-default-instance-profile"
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
 
   ami = local.ami_map["minion"]
   lifecycle { ignore_changes = [ami, key_name, user_data, ebs_block_device] }
@@ -238,7 +245,7 @@ resource "aws_security_group_rule" "dns_outbound_tcp" {
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.dns_security_group.id
 }
 
@@ -248,6 +255,6 @@ resource "aws_security_group_rule" "dns_outbound_udp" {
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.dns_security_group.id
 }

base/github/github_servers.tf

@@ -23,11 +23,12 @@ resource "aws_instance" "ghe" {
   disable_api_termination              = var.instance_termination_protection
   instance_initiated_shutdown_behavior = "stop"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = module.instance_profile.profile_id
 
   metadata_options {
-    http_tokens = "required"
+    http_endpoint = "enabled"
+    http_tokens   = "required"
   }
 
   # single space to disable default module behavior

base/jira/instance_jira/main.tf

@@ -27,9 +27,16 @@ resource "aws_instance" "jira-server-instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "m5a.xlarge"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = aws_iam_instance_profile.jira_server_instance_profile.name
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

base/mailrelay/instance-mailrelay2.tf

@@ -13,9 +13,16 @@ resource "aws_instance" "instance2" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "t3a.xlarge"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

base/mailrelay/main.tf

@@ -58,6 +58,6 @@ resource "aws_security_group_rule" "submission-out" {
   from_port         = 587
   to_port           = 587
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.mailrelay_security_group.id
 }

base/nessus/instance_nessus_manager/main.tf

@@ -3,6 +3,8 @@ locals {
   ami_selection = "minion" # master, minion, ...
 }
 
+# Rather than pass in the aws security group, we just look it up. This will
+# probably be useful other places, as well.
 data "aws_security_group" "typical-host" {
   name   = "typical-host"
   vpc_id = var.vpc_id
@@ -22,6 +24,7 @@ resource "aws_network_interface" "nessus-manager-interface" {
 }
 
 resource "aws_eip" "instance" {
+	# checkov:skip=CKV2_AWS_19: EIPs are attached to VPC
   count = local.nessus_manager_count
   vpc   = true
   tags  = merge(local.standard_tags, var.tags, { Name = "nessus-manager-${count.index}" })
@@ -41,9 +44,16 @@ resource "aws_instance" "nessus-manager-instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "m5a.large"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

base/nessus/instance_nessus_manager/nlb.tf

@@ -19,7 +19,7 @@ module "public_dns_record_nessus-manager-nlb" {
 resource "aws_lb" "external" {
   name               = "nessus-manager-external-nlb"
   load_balancer_type = "network"
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure for LCP connection
+  internal           = false # tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure for LCP connection
   subnets            = var.public_subnets
 
   access_logs {

base/nessus/instance_nessus_manager/securitygroup-server.tf

@@ -51,7 +51,7 @@ resource "aws_security_group_rule" "http-in-external-c2-users" {
   from_port         = 8834
   to_port           = 8834
   protocol          = "tcp"
-  cidr_blocks       = each.value.cidr_blocks #tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
+  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
   security_group_id = aws_security_group.nessus_manager.id
 }
 

base/nessus/instance_nessus_scanner/main.tf

@@ -3,6 +3,8 @@ locals {
   ami_selection = "minion" # master, minion, ...
 }
 
+# Rather than pass in the aws security group, we just look it up. This will
+# probably be useful other places, as well.
 data "aws_security_group" "typical-host" {
   name   = "typical-host"
   vpc_id = var.vpc_id
@@ -29,9 +31,16 @@ resource "aws_instance" "nessus-scanner-instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "m5a.large"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

base/nessus/instance_nessus_scanner/securitygroup-server.tf

@@ -83,7 +83,7 @@ resource "aws_security_group_rule" "nessus_scanner_inbound_scan_ourselves" {
 resource "aws_security_group_rule" "nessus_scanner_outbound_all_ports" {
   security_group_id = aws_security_group.nessus_scanner.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = -1
   to_port           = -1
   protocol          = "all"

base/phantom/main.tf

@@ -3,6 +3,8 @@ locals {
   ami_selection = "minion" # master, minion, ...
 }
 
+# Rather than pass in the aws security group, we just look it up. This will
+# probably be useful other places, as well.
 data "aws_security_group" "typical-host" {
   name   = "typical-host"
   vpc_id = var.vpc_id
@@ -22,6 +24,7 @@ resource "aws_network_interface" "phantom-server-interface" {
 }
 
 resource "aws_eip" "instance" {
+  # checkov:skip=CKV2_AWS_19: EIPs are attached to VPC
   count = local.instance_count
   vpc   = true
   tags  = merge(local.standard_tags, var.tags, { Name = "phantom-${count.index}" })
@@ -41,9 +44,16 @@ resource "aws_instance" "phantom-server-instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = var.environment == "prod" ? "m5a.4xlarge" : "t3a.xlarge"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = module.instance_profile.profile_id
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

base/phantom/securitygroup-server.tf

@@ -68,7 +68,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_postgres" {
 resource "aws_security_group_rule" "phantom_server_outbound_udp_dns" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 53
   to_port           = 53
   protocol          = "tcp"
@@ -78,7 +78,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_udp_dns" {
 resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 53
   to_port           = 53
   protocol          = "udp"
@@ -88,7 +88,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_tcp_dns" {
 resource "aws_security_group_rule" "phantom_server_outbound_http" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -98,7 +98,7 @@ resource "aws_security_group_rule" "phantom_server_outbound_http" {
 resource "aws_security_group_rule" "phantom_server_outbound_https" {
   security_group_id = aws_security_group.phantom_server.id
   type              = "egress"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"

base/proxy_server/main.tf

@@ -23,6 +23,7 @@ resource "aws_network_interface" "instance" {
 }
 
 resource "aws_eip" "instance" {
+  # checkov:skip=CKV2_AWS_19: EIPs are attached to VPC
   vpc  = true
   tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
 }
@@ -40,9 +41,16 @@ resource "aws_instance" "instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = var.environment == "prod" ? "t3a.medium" : "t3a.xlarge" # TODO: Prod should be bigger than test
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
@@ -188,6 +196,9 @@ data "template_cloudinit_config" "cloud_init_config" {
   }
 }
 
+#----------------------------------------------------------------------------
+# Proxy Server Security Group
+#----------------------------------------------------------------------------
 resource "aws_security_group" "proxy_server_security_group" {
   name        = "proxy_server_security_group"
   description = "Security Group for the Proxy Server(s)"
@@ -195,28 +206,34 @@ resource "aws_security_group" "proxy_server_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "http-out" {
-  description       = "Proxy allowed anywhere"
+  description       = "Proxy allowed HTTP anywhere"
   type              = "egress"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.proxy_server_security_group.id
 }
 
 resource "aws_security_group_rule" "https-out" {
-  description       = "For endpoints and troubleshooting"
+  description       = "For endpoints and troubleshooting - HTTPS"
   type              = "egress"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.proxy_server_security_group.id
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "proxy-in" {
-  description       = "Proxy In"
+  description       = "Proxy Inbound HTTP"
   type              = "ingress"
   from_port         = "80"
   to_port           = "80"
@@ -226,7 +243,7 @@ resource "aws_security_group_rule" "proxy-in" {
 }
 
 resource "aws_security_group_rule" "proxy-in-https" {
-  description       = "Proxy In HTTPS"
+  description       = "Proxy Inbound HTTPS"
   type              = "ingress"
   from_port         = "443"
   to_port           = "443"

base/repo_server/lb.tf

@@ -70,7 +70,7 @@ resource "aws_security_group_rule" "alb-http-in-external-c2-users" {
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
-  cidr_blocks       = each.value.cidr_blocks #tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
+  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
   security_group_id = module.elb.extra_security_group_ids[0]
 }
 
@@ -82,6 +82,6 @@ resource "aws_security_group_rule" "https-in-external-c2-users" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = each.value.cidr_blocks #tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
+  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
   security_group_id = module.elb.extra_security_group_ids[1]
 }

base/rhsso/main.tf

@@ -38,9 +38,16 @@ resource "aws_instance" "instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = var.environment == "prod" ? "m5a.large" : "t3a.large"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

base/rhsso/nlb.tf

@@ -18,7 +18,7 @@ module "public_dns_record" {
 resource "aws_lb" "external" {
   name               = "rhsso-external-nlb"
   load_balancer_type = "network"
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public:exp:2022-08-01
+  internal           = false # tfsec:ignore:aws-elb-alb-not-public:exp:2022-08-01
   subnets            = var.public_subnets
 
   access_logs {

base/rhsso/security-groups.tf

@@ -52,7 +52,7 @@ resource "aws_security_group_rule" "outbound_http" {
   to_port           = 80
   protocol          = "tcp"
   security_group_id = aws_security_group.instance.id
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
 }
 
 #resource "aws_security_group_rule" "instance-http-in" {
@@ -121,7 +121,7 @@ resource "aws_security_group_rule" "instance-alt-https-in-from-nlb" {
   from_port         = "8443"
   to_port           = "8443"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.instance.id
 }
 

base/salt_master/main.tf

@@ -40,12 +40,13 @@ resource "aws_instance" "instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = var.environment == "prod" ? "t3a.xlarge" : "t3a.large"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "salt-master-instance-profile"
 
   metadata_options {
     http_endpoint = "enabled"
-    http_tokens   = "optional" # tfsec:ignore:aws-ec2-enforce-http-token-imds salt s3 sources require optional tokens; see https://github.com/saltstack/salt/issues/60668
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
   }
 
   ami = local.ami_map[local.ami_selection]
@@ -265,7 +266,7 @@ resource "aws_security_group_rule" "saltstack-external-ips" {
   from_port         = "4505"
   to_port           = "4506"
   protocol          = "tcp"
-  cidr_blocks       = each.value.cidr_blocks #tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
+  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
   security_group_id = aws_security_group.salt_master_security_group.id
 }
 

base/salt_master_inventory_role/inventory_role.tf

@@ -95,6 +95,6 @@ data "aws_iam_policy_document" "salt_master_inventory_policy_doc" {
       "rds:DescribeDBInstances",
       "rds:ListTagsForResource"
     ]
-    resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
+    resources = ["*"] # tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
   }
 }

base/salt_master_inventory_role/user.tf

@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "salt_master_policy_doc" {
       "secretsmanager:DescribeSecret",
       "secretsmanager:ListSecretVersionIds"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
+    # tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
     resources = [
       "arn:${var.aws_partition}:secretsmanager:*:*:secret:saltmaster/*"
     ]
@@ -66,7 +66,7 @@ data "aws_iam_policy_document" "salt_master_policy_doc" {
     actions = [
       "sts:AssumeRole"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
+    # tfsec:ignore:aws-iam-no-policy-wildcards This is read-only access
     resources = [
       "arn:${var.aws_partition}:iam::*:role/service/salt-master-inventory-role",
 

base/sensu/elb.tf

@@ -65,6 +65,6 @@ resource "aws_security_group_rule" "sensu-external-ips" {
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
-  cidr_blocks       = each.value.cidr_blocks #tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
+  cidr_blocks       = each.value.cidr_blocks # tfsec:ignore:aws-vpc-no-public-ingress-sgr Intentionally allow inbound
   security_group_id = module.elb.security_group_id
 }

base/shared_ami_key/main.tf

@@ -53,9 +53,17 @@ module "shared_ami_key" {
   remote_account_arns = local.account_arns
 }
 
-#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
-#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# tfsec:ignore:aws-s3-block-public-acls 
+# tfsec:ignore:aws-s3-specify-public-access-block
+# tfsec:ignore:aws-s3-block-public-policy 
+# tfsec:ignore:aws-s3-ignore-public-acls
+# tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
 resource "aws_s3_bucket" "xdr-shared-amis" {
+	# checkov:skip=CKV_AWS_21: Versioning TODO
+	# checkov:skip=CKV_AWS_144: Cross-region replication TODO
+  # checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption
+	# checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
+	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
   bucket = var.ami_bucket_name
 
   tags = merge(local.standard_tags, var.tags)

base/splunk_servers/alsi/elb-elastic.tf

@@ -1,11 +1,13 @@
 resource "aws_lb" "alsi-alb-elastic" {
+	# checkov:skip=CKV2_AWS_28: TO DO - WAF
+  # checkov:skip=CKV_AWS_150: Skip deletion protection - Test env
   count                      = local.alsi_elastic_alb ? 1 : 0
   name                       = "${var.prefix}-alsi-alb-elastic"
-  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   load_balancer_type         = "application"
   drop_invalid_header_fields = true
   # Not supported for NLB
-  security_groups    = [aws_security_group.alsi-alb-elastic-sg.id]
+  security_groups            = [aws_security_group.alsi-alb-elastic-sg.id]
   # Note, changing subnets results in recreation of the resource
   subnets                          = var.subnets
   enable_cross_zone_load_balancing = true
@@ -86,8 +88,9 @@ resource "aws_lb_target_group_attachment" "alsi-alb-elastic-target-9200-instance
   port             = 9200
 }
 
-#########################
+#----------------------------------------------------------------------------
 # Security Group for ALB
+#----------------------------------------------------------------------------
 resource "aws_security_group" "alsi-alb-elastic-sg" {
   name_prefix = "${var.prefix}-alsi-alb-elastic-sg"
   lifecycle { create_before_destroy = true } # handle updates gracefully
@@ -96,8 +99,12 @@ resource "aws_security_group" "alsi-alb-elastic-sg" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-alb-elastic-https-in" {
   type              = "ingress"
+  description       = "HTTPS - Inbound"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -108,6 +115,7 @@ resource "aws_security_group_rule" "alsi-alb-elastic-https-in" {
 resource "aws_security_group_rule" "alsi-hec-http-in" {
   # Port 80 is open as a redirect to 443
   type              = "ingress"
+  description       = "HTTP redirect HTTPS - Inbound"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -115,8 +123,12 @@ resource "aws_security_group_rule" "alsi-hec-http-in" {
   security_group_id = aws_security_group.alsi-alb-elastic-sg.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-alb-elastic-9200-out" {
   type                     = "egress"
+  description              = "9200 - Outbound"
   from_port                = 9200
   to_port                  = 9200
   protocol                 = "tcp"
@@ -124,8 +136,9 @@ resource "aws_security_group_rule" "alsi-alb-elastic-9200-out" {
   security_group_id        = aws_security_group.alsi-alb-elastic-sg.id
 }
 
-#########################
+#----------------------------------------------------------------------------
 # DNS Entry
+#----------------------------------------------------------------------------
 resource "aws_route53_record" "alsi-alb-elastic" {
   count    = local.alsi_elastic_alb ? 1 : 0
   zone_id  = var.dns_info["public"]["zone_id"]

base/splunk_servers/alsi/elb-hec.tf

@@ -1,7 +1,9 @@
 resource "aws_lb" "alsi-alb-hec" {
+  # checkov:skip=CKV2_AWS_28: TO DO - WAF
+  # checkov:skip=CKV_AWS_150: Skip deletion protection - Test env
   count                      = local.alsi_hec_alb ? 1 : 0
   name                       = "${var.prefix}-alsi-alb-hec"
-  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   load_balancer_type         = "application"
   drop_invalid_header_fields = true
   # Not supported for NLB
@@ -86,8 +88,9 @@ resource "aws_lb_target_group_attachment" "alsi-alb-hec-target-8088-instance" {
   port             = 8088
 }
 
-#########################
+#----------------------------------------------------------------------------
 # Security Group for ALB
+#----------------------------------------------------------------------------
 resource "aws_security_group" "alsi-alb-hec-sg" {
   name_prefix = "${var.prefix}-alsi-alb-hec-sg"
   lifecycle { create_before_destroy = true } # handle updates gracefully
@@ -96,8 +99,12 @@ resource "aws_security_group" "alsi-alb-hec-sg" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-alb-hec-https-in" {
   type              = "ingress"
+  description       = "HTTPS - Inbound"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -108,6 +115,7 @@ resource "aws_security_group_rule" "alsi-alb-hec-https-in" {
 resource "aws_security_group_rule" "alsi-elastic-http-in" {
   # Port 80 is open as a redirect to 443
   type              = "ingress"
+  description       = "HTTP redirect HTTPS - Inbound"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -115,8 +123,12 @@ resource "aws_security_group_rule" "alsi-elastic-http-in" {
   security_group_id = aws_security_group.alsi-alb-hec-sg.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-alb-hec-8088-out" {
   type                     = "egress"
+  description              = "8088 - Outbound"
   from_port                = 8088
   to_port                  = 8088
   protocol                 = "tcp"
@@ -124,8 +136,9 @@ resource "aws_security_group_rule" "alsi-alb-hec-8088-out" {
   security_group_id        = aws_security_group.alsi-alb-hec-sg.id
 }
 
-#########################
+#----------------------------------------------------------------------------
 # DNS Entry
+#----------------------------------------------------------------------------
 resource "aws_route53_record" "alsi-alb-hec" {
   count    = local.alsi_hec_alb ? 1 : 0
   zone_id  = var.dns_info["public"]["zone_id"]

base/splunk_servers/alsi/elb-master.tf

@@ -1,4 +1,5 @@
 resource "aws_lb" "alsi-master-alb" {
+	# checkov:skip=CKV_AWS_150: Skip deletion protection - Test env
   name                       = "${var.prefix}-alsi-master-alb"
   internal                   = true
   load_balancer_type         = "application"
@@ -72,8 +73,9 @@ resource "aws_lb_target_group_attachment" "alsi-master-alb-target-9000-instance"
   port             = 9000
 }
 
-#########################
+#----------------------------------------------------------------------------
 # Security Group for ALB
+#----------------------------------------------------------------------------
 resource "aws_security_group" "alsi-master-alb-sg" {
   name_prefix = "${var.prefix}-alsi-master-alb-sg"
   lifecycle { create_before_destroy = true } # handle updates gracefully
@@ -82,8 +84,12 @@ resource "aws_security_group" "alsi-master-alb-sg" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-master-alb-https-in" {
   type              = "ingress"
+  description       = "HTTPS - Inbound"
   from_port         = 443
   to_port           = 443
   protocol          = "tcp"
@@ -94,6 +100,7 @@ resource "aws_security_group_rule" "alsi-master-alb-https-in" {
 resource "aws_security_group_rule" "alsi-master-http-in" {
   # Port 80 is open as a redirect to 443
   type              = "ingress"
+  description       = "HTTP redirect HTTPS - Inbound"
   from_port         = 80
   to_port           = 80
   protocol          = "tcp"
@@ -101,8 +108,12 @@ resource "aws_security_group_rule" "alsi-master-http-in" {
   security_group_id = aws_security_group.alsi-master-alb-sg.id
 }
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-master-alb-9000-out" {
   type                     = "egress"
+  description              = "9000 - Outbound"
   from_port                = 9000
   to_port                  = 9000
   protocol                 = "tcp"
@@ -110,8 +121,9 @@ resource "aws_security_group_rule" "alsi-master-alb-9000-out" {
   security_group_id        = aws_security_group.alsi-master-alb-sg.id
 }
 
-#########################
+#----------------------------------------------------------------------------
 # DNS Entry
+#----------------------------------------------------------------------------
 resource "aws_route53_record" "alsi_master_alb" {
   zone_id  = var.dns_info["private"]["zone_id"]
   name     = "${var.prefix}-alsi"

base/splunk_servers/alsi/master.tf

@@ -20,9 +20,16 @@ resource "aws_instance" "master" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = local.instance_types["alsi-master"]
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
@@ -110,7 +117,9 @@ resource "aws_security_group" "alsi_master_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
-# Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-master-alb-web-in" {
   description              = "Web access"
   type                     = "ingress"
@@ -141,7 +150,9 @@ resource "aws_security_group_rule" "alsi-master-interconnections" {
   security_group_id        = aws_security_group.alsi_master_security_group.id
 }
 
-# Egress
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-master-splunk-mgmt" {
   description       = "Management Access"
   type              = "egress"

base/splunk_servers/alsi/nlb-splunk.tf

@@ -12,7 +12,7 @@ resource "aws_lb" "alsi_splunk_nlb" {
   count              = local.alsi_splunk_nlb ? 1 : 0
   tags               = merge(local.standard_tags, var.tags, { "Name" : "${var.prefix}-alsi-splunk" })
   name               = "${var.prefix}-alsi-splunk-nlb"
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure
+  internal           = false # tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure
   load_balancer_type = "network"
   #subnets            = data.terraform_remote_state.infra.subnets
 

base/splunk_servers/alsi/workers.tf

@@ -27,9 +27,16 @@ resource "aws_instance" "worker" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = local.instance_types["alsi-worker"]
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then
@@ -131,7 +138,9 @@ resource "aws_security_group" "alsi_worker_security_group" {
   tags        = merge(local.standard_tags, var.tags)
 }
 
-# Ingress
+#----------------------------------------------------------------------------
+# INGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi_worker_alb_elastic1" {
   description              = "Health Check"
   type                     = "ingress"
@@ -191,6 +200,7 @@ resource "aws_security_group_rule" "alsi_worker_vpn_in4" {
 }
 resource "aws_security_group_rule" "alsi_worker_external_in" {
   # NLB requires the security group to allow access
+  description       = "Test Splunk access"
   count             = local.alsi_splunk_nlb ? 1 : 0
   type              = "ingress"
   from_port         = 9997
@@ -200,9 +210,11 @@ resource "aws_security_group_rule" "alsi_worker_external_in" {
   security_group_id = aws_security_group.alsi-alb-hec-sg.id
 }
 
-# Egress
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
 resource "aws_security_group_rule" "alsi-interconnections" {
-  description              = "cribl replication"
+  description              = "Cribl Replication"
   type                     = "egress"
   from_port                = 4200
   to_port                  = 4200

base/splunk_servers/legacy_hec/elb-with-acks.tf

@@ -78,7 +78,7 @@ resource "aws_elb" "hec_classiclb" {
   name            = "${var.prefix}-legacy-hec-classic"
   security_groups = [data.aws_security_group.hec_elb_security_group.id]
   subnets         = var.public_subnets
-  internal        = false #tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
+  internal        = false # tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
 
   listener {
     instance_port      = 8088

base/splunk_servers/legacy_hec/elb-without-ack.tf

@@ -116,7 +116,7 @@ resource "aws_lb" "hec" {
   load_balancer_type         = "application"
   security_groups            = [data.aws_security_group.hec_elb_security_group.id]
   subnets                    = var.public_subnets
-  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
+  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ELB requires Internet exposure
   drop_invalid_header_fields = true
 }
 

base/teleport-single-instance/alb.tf

@@ -5,7 +5,7 @@
 resource "aws_alb" "external" {
   name                       = "${var.instance_name}-alb-external-${var.environment}"
   security_groups            = [aws_security_group.alb_server_external.id]
-  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   subnets                    = var.subnets
   load_balancer_type         = "application"
   drop_invalid_header_fields = true
@@ -137,7 +137,7 @@ resource "aws_security_group_rule" "alb-http-in" {
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb_server_external.id
 }
 
@@ -147,7 +147,7 @@ resource "aws_security_group_rule" "alb-https-in" {
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb_server_external.id
 }
 
@@ -157,7 +157,7 @@ resource "aws_security_group_rule" "alb-3080-in" {
   from_port         = "3080"
   to_port           = "3080"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb_server_external.id
 }
 

base/teleport-single-instance/dynamo.tf

@@ -126,8 +126,8 @@ resource "aws_dynamodb_table" "locks" {
   billing_mode   = "PROVISIONED"
 
   #checkov:skip=CKV_AWS_119:Encrypted by AWS Owned key config'd via console
-  #tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
-  #tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
+  # tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
+  # tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
   server_side_encryption {
     enabled = false
   }
@@ -145,7 +145,7 @@ resource "aws_dynamodb_table" "locks" {
   }
 
   #checkov:skip=CKV_AWS_28:No need for PiTR here
-  #tfsec:ignore:aws-dynamodb-enable-recovery
+  # tfsec:ignore:aws-dynamodb-enable-recovery
   point_in_time_recovery {
     enabled = false
   }

base/teleport-single-instance/main.tf

@@ -16,6 +16,7 @@ resource "aws_network_interface" "instance" {
 }
 
 resource "aws_eip" "instance" {
+	# checkov:skip=CKV2_AWS_19: EIPs are attached to VPC
   vpc  = true
   tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
 }
@@ -33,12 +34,14 @@ resource "aws_instance" "instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "t3a.large"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = aws_iam_instance_profile.teleport.name
 
   metadata_options {
     http_endpoint = "enabled"
-    http_tokens   = "optional" # tfsec:ignore:aws-ec2-enforce-http-token-imds salt s3 sources require optional tokens; see https://github.com/saltstack/salt/issues/60668
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens = "optional"
   }
 
   ami = local.ami_map[local.ami_selection]

base/teleport-single-instance/nlb.tf

@@ -1,6 +1,6 @@
 resource "aws_lb" "nlb" {
   name               = "${var.instance_name}-nlb"
-  internal           = false #tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure
+  internal           = false # tfsec:ignore:aws-elb-alb-not-public The NLB requires Internet exposure
   load_balancer_type = "network"
   # Not supported for NLB
   #security_groups    = [aws_security_group.nlb-sg.id]

base/teleport-single-instance/security-groups.tf

@@ -43,7 +43,7 @@ resource "aws_security_group_rule" "instance-teleport-in-3023-3026" {
   from_port         = "3023"
   to_port           = "3026"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.instance.id
 }
 
@@ -73,7 +73,7 @@ resource "aws_security_group_rule" "instance-teleport-out-ssh" {
   from_port         = "22"
   to_port           = "22"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.instance.id
 }
 
@@ -83,7 +83,7 @@ resource "aws_security_group_rule" "instance-teleport-out-teleport" {
   from_port         = "3022"
   to_port           = "3026"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.instance.id
 }
 
@@ -93,6 +93,6 @@ resource "aws_security_group_rule" "instance-teleport-out-https" {
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
-  cidr_blocks       = ["0.0.0.0/0"] #tfsec:ignore:aws-vpc-no-public-egress-sgr
+  cidr_blocks       = ["0.0.0.0/0"] # tfsec:ignore:aws-vpc-no-public-egress-sgr
   security_group_id = aws_security_group.instance.id
 }

base/threatquotient/main.tf

@@ -20,12 +20,19 @@ resource "aws_instance" "instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = "t3a.2xlarge"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = "msoc-default-instance-profile"
   associate_public_ip_address          = false
   vpc_security_group_ids               = [data.aws_security_group.typical-host.id, aws_security_group.instance.id]
   subnet_id                            = var.public_subnets[count.index % 3]
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

base/vault/dynamodb.tf

@@ -5,8 +5,8 @@ resource "aws_dynamodb_table" "vault" {
   range_key    = "Key"
 
   #checkov:skip=CKV_AWS_119:Encrypted by AWS Owned key config'd via console
-  #tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
-  #tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
+  # tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
+  # tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
   server_side_encryption {
     enabled = false
   }

base/vault/main.tf

@@ -47,9 +47,16 @@ resource "aws_instance" "instance" {
   instance_initiated_shutdown_behavior = "stop"
   instance_type                        = var.environment == "prod" ? "t3a.medium" : "t3a.small"
   key_name                             = "msoc-build"
-  monitoring                           = false
+  monitoring                           = false # checkov:skip=CKV_AWS_126:Detailed monitoring not needed at this time
   iam_instance_profile                 = module.instance_profile.profile_id
 
+  metadata_options {
+    http_endpoint = "enabled"
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    http_tokens   = "optional"
+  }
+
   ami = local.ami_map[local.ami_selection]
   # We need to ignore ebs_block_device changes, because if the AMI changes, so does the snapshot_id.
   # If they add a feature to block more specific changes (eg `ebs_block_devices[*].snapshot_id`), then

submodules/codebuild/codebuild-ecr-image/ecr_repo.tf

@@ -1,5 +1,6 @@
-resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-customer-key tfsec:ignore:aws-ecr-enforce-immutable-repository
-  # Risk is low for KMS AES-256 encryption
+# tfsec:ignore:aws-ecr-enforce-immutable-repository
+resource "aws_ecr_repository" "this" {
+  # checkov:skip=CKV_AWS_51: see tfsec explanation above
   name = var.name
   tags = merge(var.standard_tags, var.tags)
   # image_tag_mutability = "IMMUTABLE" 
@@ -10,6 +11,11 @@ resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-custome
   image_scanning_configuration {
     scan_on_push = true
   }
+
+# tfsec:ignore:aws-ecr-repository-customer-key Risk is low for KMS AES-256 encryption
+  encryption_configuration {
+        encryption_type = "AES256"
+  }
 }
 
 data "aws_iam_policy_document" "ecr_repository_policy" {

submodules/iam/bootstrap_mdradmin_policies/policy-mdradmin_tfstate_setup.tf

@@ -8,7 +8,7 @@ resource "aws_iam_policy" "mdradmin_tfstate_setup" {
 data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
   statement {
     sid = "DynamoDBTablesAndLocking"
-    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "dynamodb:*"
     ]
     resources = [
@@ -42,7 +42,7 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
 
   statement {
     sid = "KMSKeyCreate"
-    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "kms:CreateAlias",
       "kms:CreateKey",
       "kms:List*",
@@ -66,7 +66,7 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
   }
   statement {
     sid = "S3ManageStateBucket"
-    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "s3:CreateBucket",
       "s3:DeleteBucket",
       "s3:ListBucket",
@@ -84,14 +84,14 @@ data "aws_iam_policy_document" "mdradmin_tfstate_setup" {
       ]
     }
   }
-  statement { #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+  statement { # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     sid = "S3ObjectOperations"
     actions = [
       "s3:PutObject*",
       "s3:GetObject*",
       "s3:DeleteObject*"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:s3:::${var.bucket_name}/*"
     ]

submodules/iam/common_services_roles/role-mdr_developer.tf

@@ -26,12 +26,12 @@ data "aws_iam_policy_document" "mdr_developer" {
   statement {
     sid    = "S3Access"
     effect = "Allow"
-    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "s3:*"
     ]
 
     # These resources might not exist yet
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:s3:::afsxdr-binaries",
       "arn:${local.aws_partition}:s3:::afsxdr-binaries/*",
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "mdr_developer" {
     actions = [
       "sts:AssumeRole"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_developer",
     ]

submodules/iam/okta_saml_roles/policy-mdr_engineer.tf

@@ -40,7 +40,7 @@ data "aws_iam_policy_document" "mdr_engineer" {
     actions = [
       "iam:PassRole",
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "mdr_engineer" {
     actions = [
       "sts:AssumeRole"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer",
       "arn:${local.aws_partition}:iam::*:role/mdr_engineer",

submodules/iam/okta_saml_roles/policy-mdr_iam_admin.tf

@@ -3,7 +3,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
   statement {
     sid    = "AllowKMSthings"
     effect = "Allow"
-    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "kms:Create*",
       "kms:Describe*",
       "kms:Enable*",
@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    resources = ["*"] # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
   }
 
 }

submodules/iam/okta_saml_roles/policy-mdr_readonly_assumerole.tf

@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "iam:PassRole",
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -29,7 +29,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "sts:AssumeRole"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer_readonly",
 

submodules/iam/okta_saml_roles/policy-mdr_terraformer.tf

@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "iam:PassRole",
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -34,7 +34,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "sts:AssumeRole"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
 

submodules/iam/standard_iam_policies/policy-mdr_engineer.tf

@@ -36,7 +36,7 @@ data "aws_iam_policy_document" "mdr_engineer" {
     ]
   }
 
-  #tfsec:ignore:aws-iam-no-policy-wildcards
+  # tfsec:ignore:aws-iam-no-policy-wildcards
   statement {
     effect = "Allow"
     actions = [
@@ -58,7 +58,7 @@ data "aws_iam_policy_document" "mdr_engineer" {
       "sts:AssumeRole"
     ]
 
-    #tfsec:ignore:aws-iam-no-policy-wildcards
+    # tfsec:ignore:aws-iam-no-policy-wildcards
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer",
       "arn:${local.aws_partition}:iam::*:role/mdr_engineer",

submodules/iam/standard_iam_policies/policy-mdr_feedmgmt.tf

@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "mdr_feedmgmt_s3access" {
       "s3:GetObject",
       "s3:GetObjectVersion",
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:s3:::xdr-codebuild-artifacts/*",
     ]

submodules/iam/standard_iam_policies/policy-mdr_iam_admin.tf

@@ -3,7 +3,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
   statement {
     sid    = "AllowKMSthings"
     effect = "Allow"
-    actions = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    actions = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "kms:Create*",
       "kms:Describe*",
       "kms:Enable*",
@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "iam_admin_kms" {
       "kms:ScheduleKeyDeletion",
       "kms:CancelKeyDeletion"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = ["*"]
   }
 

submodules/iam/standard_iam_policies/policy-mdr_readonly_assumerole.tf

@@ -14,7 +14,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "iam:PassRole",
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -29,7 +29,7 @@ data "aws_iam_policy_document" "mdr_engineer_readonly_assumerole" {
     actions = [
       "sts:AssumeRole"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_engineer_readonly",
       "arn:${local.aws_partition}:iam::*:role/user/mdr_developer_readonly",

submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf

@@ -19,7 +19,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "iam:PassRole",
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
@@ -54,7 +54,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
     actions = [
       "sts:AssumeRole"
     ]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
 

submodules/load_balancer/public_alb/elb.tf

@@ -4,7 +4,7 @@
 resource "aws_lb" "server_external" {
   name_prefix                = local.prefix
   security_groups            = [aws_security_group.alb.id]
-  internal                   = false #tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
+  internal                   = false # tfsec:ignore:aws-elb-alb-not-public The ALB requires Internet exposure
   subnets                    = var.subnets
   load_balancer_type         = "application"
   drop_invalid_header_fields = true

submodules/load_balancer/public_alb/security_groups.tf

@@ -17,7 +17,7 @@ resource "aws_security_group_rule" "http_from_internet" {
   from_port         = "80"
   to_port           = "80"
   protocol          = "tcp"
-  cidr_blocks       = var.inbound_cidrs #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = var.inbound_cidrs # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb.id
 }
 
@@ -27,7 +27,7 @@ resource "aws_security_group_rule" "https_from_internet" {
   from_port         = "443"
   to_port           = "443"
   protocol          = "tcp"
-  cidr_blocks       = var.inbound_cidrs #tfsec:ignore:aws-vpc-no-public-ingress-sgr
+  cidr_blocks       = var.inbound_cidrs # tfsec:ignore:aws-vpc-no-public-ingress-sgr
   security_group_id = aws_security_group.alb.id
 }
 

submodules/load_balancer/static_nlb_to_alb/alb.tf

@@ -4,7 +4,7 @@
 resource "aws_lb" "external" {
   name_prefix                = substr("${var.name}-ext-lb", 0, 6)
   security_groups            = concat([aws_security_group.lb_server_external.id], aws_security_group.extra_security_groups[*].id)
-  internal                   = false #tfsec:ignore:aws-elb-alb-not-public
+  internal                   = false # tfsec:ignore:aws-elb-alb-not-public
   subnets                    = var.public_subnets
   load_balancer_type         = "application"
   drop_invalid_header_fields = true

submodules/load_balancer/static_nlb_to_alb/nlb.tf

@@ -17,7 +17,7 @@ resource "aws_eip" "static" {
 resource "aws_lb" "static" {
   name_prefix                      = substr("${var.name}-static", 0, 6)
   load_balancer_type               = "network"
-  internal                         = false #tfsec:ignore:aws-elb-alb-not-public
+  internal                         = false # tfsec:ignore:aws-elb-alb-not-public
   enable_cross_zone_load_balancing = true
 
   subnet_mapping {

submodules/splunk/splunk_indexer_asg/main.tf

@@ -38,7 +38,7 @@ resource "aws_launch_template" "splunk_indexer" {
 
   metadata_options {
     http_endpoint = "enabled"
-    http_tokens   = "optional" #tfsec:ignore:aws-autoscaling-enforce-http-token-imds Smartstore needs to be configured to use imdsv2, MSOCI-2150
+    http_tokens   = "optional" # tfsec:ignore:aws-autoscaling-enforce-http-token-imds Smartstore needs to be configured to use imdsv2, MSOCI-2150
   }
 
   network_interfaces {

thirdparty/terraform-aws-cloudtrail-logging/main.tf

@@ -83,7 +83,7 @@ data "aws_iam_policy_document" "cwl_policy" {
   statement {
     effect  = "Allow"
     actions = ["logs:PutLogEvents"]
-    #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
     resources = [
       "arn:${local.partition}:logs:${var.region}:${local.account_id}:log-group:${aws_cloudwatch_log_group.cwl_loggroup.name}:log-stream:*",
     ]

thirdparty/terraform-aws-github-runner/modules/runners/variables.tf

@@ -495,6 +495,8 @@ variable "metadata_options" {
   description = "Metadata options for the ec2 runner instances."
   type        = map(any)
   default = {
+    # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
+    # checkov:skip=CKV_AWS_79:see tfsec explanation
     http_endpoint               = "enabled"
     http_tokens                 = "optional"
     http_put_response_hop_limit = 1

thirdparty/terraform-aws-kinesis-firehose-splunk/main.tf

@@ -49,8 +49,8 @@ resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" {
 
 #S3 Bucket for Kinesis Firehose s3_backup_mode
 #Certificate CRLs need to be publicly accessible
-#tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-no-public-buckets tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-block-public-acls
-resource "aws_s3_bucket" "kinesis_firehose_s3_bucket" { #tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-specify-public-access-block
+# tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-no-public-buckets tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-block-public-acls
+resource "aws_s3_bucket" "kinesis_firehose_s3_bucket" { # tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-specify-public-access-block
   bucket = var.s3_bucket_name
 
   tags = var.tags
@@ -230,7 +230,7 @@ data "aws_iam_policy_document" "lambda_policy_doc" {
       "kms:Decrypt"
     ]
 
-    resources = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    resources = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "*",
     ]
 
@@ -347,7 +347,7 @@ data "aws_iam_policy_document" "kinesis_firehose_policy_document" {
       "kms:Decrypt"
     ]
 
-    resources = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    resources = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "*",
     ]
 
@@ -420,7 +420,7 @@ data "aws_iam_policy_document" "cloudwatch_to_fh_access_policy" {
       "kms:Decrypt"
     ]
 
-    resources = [ #tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
+    resources = [ # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
       "*",
     ]