added checkov suppressions

Author: andywick-aws

aws_sra_examples/solutions/common/common_cfct_setup/templates/customizations-for-aws-control-tower.template

@@ -10,7 +10,6 @@
 # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
-
 AWSTemplateFormatVersion: '2010-09-09'
 Description: '(SO0089) - customizations-for-aws-control-tower Solution. Version: v2.3.0'
 
@@ -247,6 +246,14 @@ Resources:
           - id: W35
             reason:
               "This S3 bucket is used as the destination for 'CustomControlTowerPipelineS3Bucket' and 'CustomControlTowerPipelineArtifactS3Bucket'"
+      checkov:
+        skip:
+          - id: CKV_AWS_18
+            comment: S3 bucket logging is not enabled.
+          - id: CKV_AWS_116
+            comment: DLQ not needed.
+          - id: CKV_AWS_173
+            comment: Environment variables are not sensitive.
     Properties:
       AccessControl: LogDeliveryWrite
       VersioningConfiguration:
@@ -482,6 +489,10 @@ Resources:
         rules_to_suppress:
           - id: W11
             reason: 'Allow Resource * for Cloudformation/SSM API: needs to support user defined cfn templates and ssm parameter names.'
+      checkov:
+        skip:
+          - id: CKV_AWS_108
+            comment: 'Allow Resource * for Cloudformation/SSM API: needs to support user defined cfn templates and ssm parameter names.'
     Properties:
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
@@ -1032,6 +1043,14 @@ Resources:
             reason: 'This lambda function does not need access to VPC resources'
           - id: W92
             reason: 'This use case does not need to set the ReservedConcurrentExecutions'
+      checkov:
+        skip:
+          - id: CKV_AWS_18
+            comment: S3 bucket logging is not enabled.
+          - id: CKV_AWS_116
+            comment: DLQ not needed.
+          - id: CKV_AWS_173
+            comment: Environment variables are not sensitive.
     Properties:
       Environment:
         Variables:
@@ -1128,6 +1147,14 @@ Resources:
             reason: 'The role name is defined to identify Custom Control Tower resources.'
           - id: W11
             reason: 'Allow Resource * for KMS/SSM/Org/SC/CFN API. Key ID is generated by the service. Other resources are customer defined.'
+      checkov:
+        skip:
+          - id: CKV_AWS_108
+            comment: 'Allow Resource * for KMS/SSM/Org/SC/CFN API. Key ID is generated by the service. Other resources are customer defined.'
+          - id: CKV_AWS_109
+            comment: Permission management required
+          - id: CKV_AWS_111
+            comment: wild card required for service actions
     Properties:
       RoleName: CustomControlTowerStateMachineLambdaRole
       AssumeRolePolicyDocument:
@@ -1302,6 +1329,14 @@ Resources:
             reason: 'This lambda function does not need access to VPC resources'
           - id: W92
             reason: 'This use case does not need to set the ReservedConcurrentExecutions'
+      checkov:
+        skip:
+          - id: CKV_AWS_18
+            comment: S3 bucket logging is not enabled.
+          - id: CKV_AWS_116
+            comment: DLQ not needed.
+          - id: CKV_AWS_173
+            comment: Environment variables are not sensitive.
     Properties:
       Environment:
         Variables:
@@ -2917,6 +2952,14 @@ Resources:
             reason: 'This lambda function does not need access to VPC resources'
           - id: W92
             reason: 'This use case does not need to set the ReservedConcurrentExecutions'
+      checkov:
+        skip:
+          - id: CKV_AWS_18
+            comment: S3 bucket logging is not enabled.
+          - id: CKV_AWS_116
+            comment: DLQ not needed.
+          - id: CKV_AWS_173
+            comment: Environment variables are not sensitive.
     Properties:
       Environment:
         Variables: