ELI 546 - firehose checkov suppressions

Karthikeyannhs · Karthikeyannhs · commit e5e35bc1db00 · 2025-11-24T12:09:02.000Z
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -291,6 +291,8 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {
 }
 
 resource "aws_iam_role_policy" "splunk_firehose_policy" {
+  #checkov:skip=CKV_AWS_290: Firehose requires write access to dynamic log streams without static constraints
+  #checkov:skip=CKV_AWS_355: Firehose logging requires wildcard resource for CloudWatch log groups/streams
   name = "splunk-firehose-policy"
   role = aws_iam_role.splunk_firehose_assume_role.id
 

Original file line number	Diff line number	Diff line change
`@@ -291,6 +291,8 @@ resource "aws_kms_key_policy" "s3_rules_kms_key" {`
`291`	`291`	`}`
`292`	`292`
`293`	`293`	`resource "aws_iam_role_policy" "splunk_firehose_policy" {`
	`294`	`+ #checkov:skip=CKV_AWS_290: Firehose requires write access to dynamic log streams without static constraints`
	`295`	`+ #checkov:skip=CKV_AWS_355: Firehose logging requires wildcard resource for CloudWatch log groups/streams`
`294`	`296`	`name = "splunk-firehose-policy"`
`295`	`297`	`role = aws_iam_role.splunk_firehose_assume_role.id`
`296`	`298`