No need job scheduler

[markhv-code]

Fixes Issue: link to JIRA ticket

Description:

Signal team no longer uses the job-scheduler policy and role. To preserve default behavior I have added an optional boolean variable to determine is those resources can be created.

Security Impact Analysis Questionnaire

Submitter Checklist

• Is there an impact on Auditing and Logging procedures or capabilities?
• Is there an impact on Authentication procedures or capabilities?
• Is there an impact on Authorization procedures or capabilities?
• Is there an impact on Communication Security procedures or capabilities?
• Is there an impact on Cryptography procedures or capabilities?
• Is there an impact on Sensitive Data procedures or capabilities?
• Is there an impact on any other security-related procedures or capabilities?
• No security impacts identified.

Security Risks Identified - For any applicable items on the "Submitter Checklist," describe the impact of the change and any implemented mitigations.

[robo-gotham]

Snyk Scanning for Commit: 0aec73f

Snyk Infrastructure as Code

• Snyk testing Infrastructure as Code configuration issues.
  ✔ Test completed.

Issues

Low Severity Issues: 13

[Low] CloudWatch log group not encrypted with managed key
Info: Log group is not encrypted with customer managed key. Scope of use of
the key cannot be controlled via KMS/IAM policies
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-AWS-415
Path: resource > aws_cloudwatch_log_group[function_log_group] > kms_key_id
File: delete_ebs_volumes/lambda.tf
Resolve: Set kms_key_id attribute with customer managed key id

[Low] X-ray tracing is disabled for Lambda function
Info: Amazon X-Ray tracing is not enabled for Lambda function. Trace logs
will not be available during investigation
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-133
Path: resource > aws_lambda_function[delete_ebs_volumes] > tracing_config
File: delete_ebs_volumes/lambda.tf
Resolve: Set tracing_config.mode attribute to Active or PassThrough

[Low] Rule allows open egress
Info: The security group rule allows open egress. Open egress can be used
to exfiltrate data to unauthorized destinations, and enable access to
potentially malicious resources
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-72
Path: resource > aws_security_group_rule[egress]
File: delete_ebs_volumes/security_group.tf
Resolve: Set cidr_blocks attribute to specific ranges e.g. 192.168.1.0/24

[Low] CloudTrail does not include all regions
Info: Amazon CloudTrail is not enabled for all regions. Logs will not be
collected in all the regions
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-135
Path: resource > aws_cloudtrail[main] > is_multi_region_trail
File: s3_data_events/cloudtrail.tf
Resolve: Set is_multi_region_trail attribute to true

[Low] CloudTrail not integrated with CloudWatch
Info: CloudTrail does not deliver logs to CloudWatch. Alarms cannot be
configured to alert on CloudTrail events
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-256
Path: resource > aws_cloudtrail[main] > cloud_watch_logs_group_arn
File: s3_data_events/cloudtrail.tf
Resolve: Set cloud_watch_logs_group_arn attribute to cloudwatch log group
ARN

[Low] S3 bucket versioning disabled
Info: S3 bucket versioning is disabled. Changes or deletion of objects will
not be reversible
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-124
Path: resource > aws_s3_bucket[cloudtrail] > versioning > enabled
File: s3_data_events/s3.tf
Resolve: For AWS provider < v4.0.0, set versioning.enabled attribute to
true. For AWS provider >= v4.0.0, add aws_s3_bucket_versioning
resource.

[Low] S3 bucket MFA delete control disabled
Info: S3 bucket will not enforce MFA login on delete requests. Object could
be deleted without stronger MFA authorization
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-127
Path: resource > aws_s3_bucket[cloudtrail] > versioning > mfa_delete
File: s3_data_events/s3.tf
Resolve: Follow instructions in https://docs.aws.amazon.com/AmazonS3/latest/u serguide/MultiFactorAuthenticationDelete.html to manually configure
the MFA setting. For AWS provider < v4.0.0 set
versioning.mfa_delete attribute to true in aws_s3_bucket
resource. For AWS provider >= v4.0.0 set
'versioning_configuration.mfa_deleteattribute toEnabled`. The
terraform change is required to reflect the setting in the state file

[Low] S3 server access logging is disabled
Info: The s3 access logs will not be collected. There will be no audit
trail of access to s3 objects
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-45
Path: input > resource > aws_s3_bucket[cloudtrail] > logging
File: s3_data_events/s3.tf
Resolve: For AWS provider < v4.0.0, add logging block attribute. For AWS
provider >= v4.0.0, add aws_s3_bucket_logging resource.

[Low] S3 bucket versioning disabled
Info: S3 bucket versioning is disabled. Changes or deletion of objects will
not be reversible
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-124
Path: resource > aws_s3_bucket[gd_export_s3_bucket] > versioning > enabled
File: sdl_logs/s3.tf
Resolve: For AWS provider < v4.0.0, set versioning.enabled attribute to
true. For AWS provider >= v4.0.0, add aws_s3_bucket_versioning
resource.

[Low] S3 bucket MFA delete control disabled
Info: S3 bucket will not enforce MFA login on delete requests. Object could
be deleted without stronger MFA authorization
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-127
Path: resource > aws_s3_bucket[gd_export_s3_bucket] > versioning >
mfa_delete
File: sdl_logs/s3.tf
Resolve: Follow instructions in https://docs.aws.amazon.com/AmazonS3/latest/u serguide/MultiFactorAuthenticationDelete.html to manually configure
the MFA setting. For AWS provider < v4.0.0 set
versioning.mfa_delete attribute to true in aws_s3_bucket
resource. For AWS provider >= v4.0.0 set
'versioning_configuration.mfa_deleteattribute toEnabled`. The
terraform change is required to reflect the setting in the state file

[Low] S3 server access logging is disabled
Info: The s3 access logs will not be collected. There will be no audit
trail of access to s3 objects
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-45
Path: input > resource > aws_s3_bucket[gd_export_s3_bucket] > logging
File: sdl_logs/s3.tf
Resolve: For AWS provider < v4.0.0, add logging block attribute. For AWS
provider >= v4.0.0, add aws_s3_bucket_logging resource.

[Low] X-ray tracing is disabled for Lambda function
Info: Amazon X-Ray tracing is not enabled for Lambda function. Trace logs
will not be available during investigation
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-133
Path: resource > aws_lambda_function[transform-lambda] > tracing_config
File: security-alerts/lambda.tf
Resolve: Set tracing_config.mode attribute to Active or PassThrough

[Low] Secrets Manager is not encrypted with customer managed key
Info: Secrets Manager is not encrypted with customer managed key. Scope of
use of the encryption key cannot be controlled via KMS/IAM policies
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-AWS-421
Path: resource > aws_secretsmanager_secret[slack_webhook] > kms_key_id
File: security-alerts/secret.tf
Resolve: Set kms_key_id attribute to customer managed key id

Medium Severity Issues: 1

[Medium] Kinesis data stream is not encrypted at rest
Info: Data stream is not encrypted at rest. Sensitive data processed by the
stream may be readable in the kinesis storage layer
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-AWS-450
Path: resource > aws_kinesis_firehose_delivery_stream[panther_firehose] >
server_side_encryption
File: cwl_subscriptions/firehose.tf
Resolve: Set server_side_encryption.enabled attribute to true

---

Test Summary

Organization: batcave-ispg
Project name: CMS-Enterprise/batcave-tf-misc-modules

✔ Files without issues: 29
✗ Files with issues: 8
Ignored issues: 0
Total issues: 14 [ 0 critical, 0 high, 1 medium, 13 low ]

---

Report Complete

Your test results are available at: https://snyk.io/org/batcave-ispg/projects
under the name: CMS-Enterprise/batcave-tf-misc-modules

[bushong1]

What is this module even used for?