------------------------------------------------------------
cloudhsm.yml
------------------------------------------------------------------------------------------------------------------------
| WARN W11
|
| Resource: ["rStateMachineCreateExecutionRole", "rStateMachineUpdateExecutionRole", "rStateMachineDeleteExecutionRole", "rStateMachineInitActivateExecutionRole", "rStateMachineAlignHsmsExecutionRole", "rLambdaCreateClusterRole", "rLambdaGetClusterStateRole", "rLambdaInitializeSecretsRole", "rLambdaCreateHsmRole", "rLambdaGetHsmStateRole", "rLambdaGetHsmNumRole", "rLambdaUpdateClusterSecGroupRole", "rLambdaRetrievePriorCaCertRole", "rLambdaGetClusterCertCsrRole", "rLambdaInternallyIssueClusterCertRole", "rLambdaInitClusterRole", "rLambdaAlignHsmCountRole", "rLambdaGetHsmsStateRole", "rLambdaDeleteSecretsRole", "rLambdaDeleteClusterRole", "rLambdaDeleteHsmsRole", "rClientInstanceRole", "rRunCmdSsmRole"]
| Line Numbers: [487, 770, 995, 1170, 1289, 1383, 1483, 1575, 1655, 1746, 1808, 1896, 1985, 2060, 2174, 2255, 2366, 2452, 2528, 2597, 2684, 3158, 3274]
|
| IAM role should not allow * resource on its permissions policy

Notes: The * resource parameter is limited to the region and account of the principal creating the CloudFormation stack. This has been reviewed and deemed an acceptable risk.

------------------------------------------------------------
| WARN W89
|
| Resource: ["rCustomResourceCloudHsmCluster", "rLambdaCreateCluster", "rLambdaGetClusterState", "rLambdaInitializeSecrets", "rLambdaCreateHsm", "rLambdaGetHsmState", "rLambdaGetHsmNum", "rLambdaUpdateClusterSecGroup", "rLambdaRetrievePriorCaCert", "rLambdaGetClusterCertCsr", "rLambdaInternallyIssueClusterCert", "rLambdaInitCluster", "rLambdaAlignHsmCount", "rLambdaGetHsmsState", "rLambdaDeleteSecrets", "rLambdaDeleteCluster", "rLambdaDeleteHsms", "rLambdaSendCfnFailed", "rLambdaSendCfnSuccess"]
| Line Numbers: [173, 1337, 1444, 1518, 1614, 1707, 1781, 1843, 1941, 2025, 2099, 2215, 2294, 2419, 2487, 2567, 2641, 2731, 2797]
|
| Lambda functions should be deployed inside a VPC

Notes: The included Lambda functions only run during creating, updating, and deleting the stack. This has been reviewed and deemed an acceptable risk.

------------------------------------------------------------
| WARN W92
|
| Resource: ["rCustomResourceCloudHsmCluster", "rLambdaCreateCluster", "rLambdaGetClusterState", "rLambdaInitializeSecrets", "rLambdaCreateHsm", "rLambdaGetHsmState", "rLambdaGetHsmNum", "rLambdaUpdateClusterSecGroup", "rLambdaRetrievePriorCaCert", "rLambdaGetClusterCertCsr", "rLambdaInternallyIssueClusterCert", "rLambdaInitCluster", "rLambdaAlignHsmCount", "rLambdaGetHsmsState", "rLambdaDeleteSecrets", "rLambdaDeleteCluster", "rLambdaDeleteHsms", "rLambdaSendCfnFailed", "rLambdaSendCfnSuccess"]
| Line Numbers: [173, 1337, 1444, 1518, 1614, 1707, 1781, 1843, 1941, 2025, 2099, 2215, 2294, 2419, 2487, 2567, 2641, 2731, 2797]
|
| Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Notes: The included Lambda functions do not need to run concurrently.

------------------------------------------------------------
| WARN W84
|
| Resource: ["rCloudWatchLogsStateMachineCreate", "rCloudWatchLogsStateMachineUpdate", "rCloudWatchLogsStateMachineDelete", "rCloudWatchLogsStateMachineInitActivate", "rCloudWatchLogsStateMachineAlignHsms", "rCloudWatchLogsAgentGroup", "rCloudWatchLogsRunCommand"]
| Line Numbers: [481, 764, 989, 1164, 1283, 3152, 3268]
|
| CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data

Notes: Password and other security sensitive information are not kept in the logs. This has been reviewed and deemed an acceptable risk.

------------------------------------------------------------
| WARN W28
|
| Resource: ["rClientInstanceSecurityGroup", "rLambdaCustomResourceExecutionRole", "rStateMachineCreateExecutionRole", "rStateMachineUpdateExecutionRole", "rStateMachineDeleteExecutionRole", "rStateMachineInitActivateExecutionRole", "rStateMachineAlignHsmsExecutionRole", "rLambdaCreateClusterRole", "rLambdaGetClusterStateRole", "rLambdaInitializeSecretsRole", "rLambdaCreateHsmRole", "rLambdaGetHsmStateRole", "rLambdaGetHsmNumRole", "rLambdaUpdateClusterSecGroupRole", "rLambdaRetrievePriorCaCertRole", "rLambdaGetClusterCertCsrRole", "rLambdaInternallyIssueClusterCertRole", "rLambdaInitClusterRole", "rLambdaAlignHsmCountRole", "rLambdaGetHsmsStateRole", "rLambdaDeleteSecretsRole", "rLambdaDeleteClusterRole", "rLambdaDeleteHsmsRole", "rLambdaSendCfnFailedRole", "rLambdaSendCfnSuccessRole", "rClientInstanceRole", "rRunCmdSsmRole"]
| Line Numbers: [2854, 219, 487, 770, 995, 1170, 1289, 1383, 1483, 1575, 1655, 1746, 1808, 1896, 1985, 2060, 2174, 2255, 2366, 2452, 2528, 2597, 2684, 2770, 2827, 3158, 3274]
|
| Resource found with an explicit name, this disallows updates that require replacement of this resource

Notes: This CloudFormation template has been tested and this may change in the future. This has been reviewed and deemed an acceptable risk.

------------------------------------------------------------
| WARN W76
|
| Resource: ["rStateMachineCreateExecutionRole", "rStateMachineUpdateExecutionRole", "rStateMachineDeleteExecutionRole"]
| Line Numbers: [487, 770, 995]
|
| SPCM for IAM policy document is higher than 25

Notes: SPCM scoring is not a clear cut indication of whether or not the IAM policy document is correct. This has been reviewed and deemed an acceptable risk.

------------------------------------------------------------
| WARN W5
|
| Resource: ["rClientInstanceSecurityGroup"]
| Line Numbers: [2854]
|
| Security Groups found with cidr open to world on egress

Notes: The CIDR range is open because this solution uses various package and artifact repositories that make it hard to statically limit to a range of IPs.
       The egress ports have been limited to 80, 443, and 2223-2225. This may be revisited at a future date, however this has been reviewed and deemed an acceptable risk.

------------------------------------------------------------
| WARN W29
|
| Resource: ["rClientInstanceSecurityGroup"]
| Line Numbers: [2854]
|
| Security Groups found egress with port range instead of just a single port

Notes: The Egress port range (2223-2225) rule for rClientInstanceSecurityGroup is needed in order to work with AWS CloudHSM and HSMs.
      The AWS CloudHSM document (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg-client-instance.html) indicates this.
       This has been reviewed and deemed an acceptable risk.

Failures count: 0
Warnings count: 100