cloudformation

CKV_AWS_174 is being triggered in our terraform code even though we have the viewer certificate set to use TLSv.1.2. Snippet of our code here:

viewer_certificate {
acm_certificate_arn = aws_acm_certificate.cert.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2019"
}

Steps to reproduce the behavior:
Running checkov on our terraform code

**Expe

https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html lists the maximum environment variable hard limit as 4kb.

If this limit is exceeded, the template will not deploy.

It should be possible to make an Error level rule around this

Add error handling during credentials onChange event so that the Scan Account feature does not activate if credentials are invalid

While testing another PR, I found that mu pipeline logs command displays information from the pipelines, but also shows this error:

$ mu pipeline logs
[... normal, expected output ...]
func1 ▶ ERROR  ResourceNotFoundException: The specified log group does not exist.
	status code: 400, request id: f7260741-7f69-4772-b4cc-7c6a9c22d264

This error does not occur with the `-f

Good summary at https://matthewdf10.medium.com/how-to-enable-logging-on-every-aws-service-in-existence-circa-2021-5b9105b87c9 and https://docs.google.com/spreadsheets/d/1DBmCXX1irJvxdewa85p5nSsYEf3tpSKWBbwp700mbzs/edit#gid=0

Amazon Aurora
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-enablecloudwatchlogsexports

AWS AppSync

Describe the bug

CodeUri in Function has invalid directory name

To Reproduce

• Create a powershell package using the new-awsPowerShellLambdaPackage:

New-AWSPowerShellLambdaPackage -ScriptPath checkdomainavailable.ps1 -OutputPackage checkdomainavailable.zip

• Add the function in template.yaml

CheckDomainAvailableFunction:
Type: AWS::Serverless::Function
Pr

Describe the bug
When using parse-tree command, error information in printed twice with slightly different text.

To Reproduce
Please supply:

var status = ['ACTIVE']

NOTE: Please be sure that the templates, rules and logs you provide as part of your bug report do not contain any sensitive information.

Expected behavior
There should be one error log instead of dupli

Seems like we can encrypt environment variables effectively for free by adding a KmsKeyArn property to functions. See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md

This would be an easy contribution for a first timer...

The current behavior of --interactive is that any new stacks will get created, without any prompt. But this can be potentially dangerous (or at the very least, annoying) if you accidentally make a change, like changing the stack name, resulting in a whole new stack getting created.

Should stacker prompt you before creating a stack when using --interactive mode?