Bridgecrew fix config: aws_db_instance.default and 161 more

[bridgecrew-dev]

Bridgecrew has created this PR to fix supply chain risks found in the files of this project.

Changes included in this PR:

• /terraform/aws/db-app.tf:aws_db_instance.default
• /terraform/aws/db-app.tf:aws_db_instance.default
• /terraform/aws/db-app.tf:aws_db_instance.default
• /terraform/aws/db-app.tf:aws_db_instance.default
• /terraform/aws/db-app.tf:aws_db_instance.default
• /terraform/aws/db-app.tf:aws_db_instance.default
• /terraform/aws/db-app.tf:aws_instance.db_app
• /terraform/aws/db-app.tf:aws_instance.db_app
• /terraform/aws/ec2.tf:aws_ebs_volume.web_host_storage
• /terraform/aws/ec2.tf:aws_instance.web_host
• /terraform/aws/ec2.tf:aws_instance.web_host
• /terraform/aws/ec2.tf:aws_s3_bucket.flowbucket
• /terraform/aws/ec2.tf:aws_s3_bucket.flowbucket
• /terraform/aws/ec2.tf:aws_s3_bucket.flowbucket
• /terraform/aws/ec2.tf:aws_s3_bucket.flowbucket
• /terraform/aws/ec2.tf:aws_subnet.web_subnet
• /terraform/aws/ec2.tf:aws_subnet.web_subnet2
• /terraform/aws/ecr.tf:aws_ecr_repository.repository
• /terraform/aws/ecr.tf:aws_ecr_repository.repository
• /terraform/aws/ecr.tf:aws_ecr_repository.repository
• /terraform/aws/eks.tf:aws_eks_cluster.eks_cluster
• /terraform/aws/eks.tf:aws_subnet.eks_subnet1
• /terraform/aws/eks.tf:aws_subnet.eks_subnet2
• /terraform/aws/es.tf:aws_elasticsearch_domain.monitoring-framework
• /terraform/aws/es.tf:aws_elasticsearch_domain.monitoring-framework
• /terraform/aws/kms.tf:aws_kms_key.logs_key
• /terraform/aws/lambda.tf:aws_lambda_function.analysis_lambda
• /terraform/aws/neptune.tf:aws_neptune_cluster.default
• /terraform/aws/rds.tf:aws_rds_cluster.app1-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app1-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app1-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app1-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app1-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app2-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app2-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app2-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app2-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app3-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app3-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app3-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app3-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app4-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app4-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app4-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app4-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app5-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app5-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app5-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app5-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app6-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app6-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app6-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app6-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app7-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app7-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app7-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app7-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app8-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app8-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app8-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app8-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app9-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app9-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app9-rds-cluster
• /terraform/aws/rds.tf:aws_rds_cluster.app9-rds-cluster
• /terraform/aws/s3.tf:aws_s3_bucket.data
• /terraform/aws/s3.tf:aws_s3_bucket.data
• /terraform/aws/s3.tf:aws_s3_bucket.data
• /terraform/aws/s3.tf:aws_s3_bucket.data
• /terraform/aws/s3.tf:aws_s3_bucket.data_science
• /terraform/aws/s3.tf:aws_s3_bucket.data_science
• /terraform/aws/s3.tf:aws_s3_bucket.financials
• /terraform/aws/s3.tf:aws_s3_bucket.financials
• /terraform/aws/s3.tf:aws_s3_bucket.financials_log_bucket
• /terraform/aws/s3.tf:aws_s3_bucket.financials_log_bucket
• /terraform/aws/s3.tf:aws_s3_bucket.financials_log_bucket
• /terraform/aws/s3.tf:aws_s3_bucket.logs
• /terraform/aws/s3.tf:aws_s3_bucket.operations
• /terraform/aws/s3.tf:aws_s3_bucket.operations
• /terraform/aws/s3.tf:aws_s3_bucket.operations
• /terraform/azure/aks.tf:azurerm_kubernetes_cluster.k8s_cluster
• /terraform/azure/aks.tf:azurerm_kubernetes_cluster.k8s_cluster
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service1
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/app_service.tf:azurerm_app_service.app-service2
• /terraform/azure/instance.tf:azurerm_linux_virtual_machine.linux_machine
• /terraform/azure/instance.tf:azurerm_windows_virtual_machine.windows_machine
• /terraform/azure/key_vault.tf:azurerm_key_vault.example
• /terraform/azure/key_vault.tf:azurerm_key_vault.example
• /terraform/azure/key_vault.tf:azurerm_key_vault_key.generated
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql1
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql1
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql2
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql2
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql3
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql3
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql4
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql4
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql5
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql5
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql6
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql6
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql7
• /terraform/azure/mssql.tf:azurerm_mssql_server.mssql7
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy1
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy2
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy3
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy4
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy5
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy5
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy6
• /terraform/azure/mssql.tf:azurerm_mssql_server_security_alert_policy.alertpolicy7
• /terraform/azure/security_center.tf:azurerm_security_center_contact.contact
• /terraform/azure/security_center.tf:azurerm_security_center_contact.contact
• /terraform/azure/security_center.tf:azurerm_security_center_subscription_pricing.pricing
• /terraform/azure/sql.tf:azurerm_mssql_server_security_alert_policy.example
• /terraform/azure/sql.tf:azurerm_mssql_server_security_alert_policy.example
• /terraform/azure/sql.tf:azurerm_mysql_server.example
• /terraform/azure/sql.tf:azurerm_mysql_server.example
• /terraform/azure/sql.tf:azurerm_mysql_server.example
• /terraform/azure/sql.tf:azurerm_mysql_server.example
• /terraform/azure/sql.tf:azurerm_mysql_server.example
• /terraform/azure/sql.tf:azurerm_postgresql_server.example
• /terraform/azure/sql.tf:azurerm_postgresql_server.example
• /terraform/azure/sql.tf:azurerm_postgresql_server.example
• /terraform/azure/sql.tf:azurerm_postgresql_server.example
• /terraform/azure/sql.tf:azurerm_postgresql_server.example
• /terraform/gcp/big_data.tf:google_sql_database_instance.master_instance
• /terraform/gcp/big_data.tf:google_sql_database_instance.master_instance
• /terraform/gcp/gcs.tf:google_storage_bucket.terragoat_website
• /terraform/gcp/gke.tf:google_container_cluster.workload_cluster
• /terraform/gcp/gke.tf:google_container_cluster.workload_cluster
• /terraform/gcp/gke.tf:google_container_cluster.workload_cluster
• /terraform/gcp/gke.tf:google_container_cluster.workload_cluster
• /terraform/gcp/gke.tf:google_container_cluster.workload_cluster
• /terraform/gcp/gke.tf:google_container_cluster.workload_cluster
• /terraform/gcp/gke.tf:google_container_cluster.workload_cluster
• /terraform/gcp/gke.tf:google_container_node_pool.custom_node_pool
• /terraform/gcp/gke.tf:google_container_node_pool.custom_node_pool
• /terraform/gcp/gke.tf:google_container_node_pool.custom_node_pool
• /terraform/gcp/instances.tf:google_compute_instance.server
• /terraform/gcp/instances.tf:google_compute_instance.server
• /terraform/gcp/instances.tf:google_compute_instance.server
• /terraform/gcp/instances.tf:google_compute_instance.server
• /terraform/gcp/instances.tf:google_compute_instance.server

Below are the Policies fixed in this PR:

🌈 Policy	✨ Details
Ensure all data stored in the RDS is securely encrypted at rest	View
Ensure all data stored in the RDS bucket is not public accessible	View
Ensure that enhanced monitoring is enabled for Amazon RDS instances	View
Ensure RDS database has IAM authentication enabled	View
Ensure that RDS instances has backup policy	View
Ensure that EC2 is EBS optimized	View
Ensure that detailed monitoring is enabled for EC2 instances	View
Ensure that S3 buckets are encrypted with KMS by default	View
Ensure the S3 bucket has access logging enabled	View
Ensure all data stored in the S3 bucket is securely encrypted at rest	View
Ensure VPC subnets do not assign public IP by default	View
Ensure RDS cluster has IAM authentication enabled	View
Ensure AKS logging to Azure Monitoring is Configured	View
Ensure that standard pricing tier is selected	View
Ensure that RDS instances have Multi-AZ enabled	View
Ensure all data stored in the EBS is securely encrypted	View
Ensure all data stored in the S3 bucket have versioning enabled	View
Ensure that App service enables detailed error messages	View
Ensure that Register with Azure Active Directory is enabled on App Service	View
Ensure that 'Net Framework' version is the latest, if used as a part of the web app	View
Ensure that App service enables failed request tracing	View
Ensure FTP deployments are disabled	View
Ensure that 'HTTP Version' is the latest if used to run the web app	View
Ensure Virtual Machine Extensions are not Installed	View
Ensure Elasticsearch Domain Logging is enabled	View
Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	View
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	View
Ensure rotation for customer created CMKs is enabled	View
Ensure all data stored in the Elasticsearch is securely encrypted at rest	View
Ensure that ECR repositories are encrypted using KMS	View
Ensure ECR image scanning on push is enabled	View
Ensure Neptune storage is securely encrypted	View
Ensure X-ray tracing is enabled for Lambda	View
Ensure that Cloud Storage buckets have uniform bucket-level access enabled	View
Ensure that 'Send Alerts To' is enabled for MSSQL servers	View
Ensure use of Binary Authorization	View
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters	View
Ensure Network Policy is enabled on Kubernetes Engine Clusters	View
Enable VPC Flow Logs and Intranode Visibility	View
Ensure legacy Compute Engine instance metadata APIs are Disabled	View
Ensure Secure Boot for Shielded GKE Nodes is Enabled	View
Ensure that AKS enables private clusters	View
Ensure ECR Image Tags are immutable	View
Ensure that RDS clusters have deletion protection enabled	View
Ensure that PostgreSQL server enables infrastructure encryption	View
Ensure that SQL server disables public network access	View
Ensure all data stored in Aurora is securely encrypted at rest	View
Ensure 'public network access enabled' is set to 'False' for mySQL servers	View
Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	View
Ensure that key vault enables purge protection	View
Ensure that PostgreSQL server enables Threat detection policy	View
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	View
Ensure that key vault allows firewall rules settings	View
Ensure that PostgreSQL server disables public network access	View
Ensure that 'Send email notification for high severity alerts' is set to 'On'	View
Ensure that 'Send email notification for high severity alerts' is set to 'On'	View
Ensure MySQL is using the latest version of TLS encryption	View
Ensure web app is using the latest version of TLS encryption	View
Ensure that My SQL server enables Threat detection policy	View
Ensure all Cloud SQL database instance have backup configuration enabled	View
Ensure all Cloud SQL database instance requires all incoming connections to use SSL	View
Ensure that key vault key is backed by HSM	View
Ensure that PostgreSQL server enables geo-redundant backups	View
Ensure that My SQL server enables geo-redundant backups	View
Ensure MSSQL is using the latest version of TLS encryption	View
Ensure Amazon EKS public endpoint disabled	View
Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	View
Ensure App Service Authentication is set on Azure App Service	View
Ensure the web app has 'Client Certificates (Incoming client certificates)' set	View
Ensure that app services use Azure Files	View
Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters	View
Ensure 'Automatic node repair' is enabled for Kubernetes Clusters	View
Ensure that IP forwarding is not enabled on Instances	View
Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in prject metadata for all instances)	View
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters	View
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance	View
Ensure 'Block Project-wide SSH keys' is enabled for VM instances	View
Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters	View
Ensure that Compute instances do not have public IP addresses	View

Please check the changes in this PR to ensure they do not introduce conflicts to your project.

---

For more information:
View this repository's Supply Chain Graph👀