------------------------------------------------------------
main.template
------------------------------------------------------------------------------------------------------------------------
| FAIL F37
|
| Resources: ["DMSEndPointSource"]
| Line Numbers: [678]
|
| DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.  Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
------------------------------------------------------------
| WARN W33
|
| Resources: ["sub1Public", "sub2Public", "sub3Public"]
| Line Numbers: [227, 243, 259]
|
| EC2 Subnet should not have MapPublicIpOnLaunch set to true
------------------------------------------------------------
| WARN W28
|
| Resources: ["dbNode1"]
| Line Numbers: [527]
|
| Resource found with an explicit name, this disallows updates that require replacement of this resource
------------------------------------------------------------
| WARN W77
|
| Resources: ["secretClusterMasterUser"]
| Line Numbers: [474]
|
| Secrets Manager Secret should explicitly specify KmsKeyId. Besides control of the key this will allow the secret to be shared cross-account
------------------------------------------------------------
| WARN W36
|
| Resources: ["AuroraPostgresSecuritygroup", "StagingSQLSecuritygroup", "DMSInstanceSecuritygroupEgressMsSql", "DMSInstanceSecuritygroupEgressPostgres"]
| Line Numbers: [424, 439, 408, 416]
|
| Security group rules without a description obscure their purpose and may lead to bad practices in ensuring they only allow traffic from the ports and sources/destinations required.
------------------------------------------------------------
| WARN W60
|
| Resources: ["vpc"]
| Line Numbers: [203]
|
| VPC should have a flow log attached

Failures count: 1
Warnings count: 10