0 |
CKV_AWS_1 |
data |
aws_iam_policy_document |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
1 |
CKV_AWS_1 |
resource |
serverless_aws |
Ensure IAM policies that allow full “-” administrative privileges are not created |
serverless |
2 |
CKV_AWS_2 |
resource |
aws_lb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
3 |
CKV_AWS_2 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure ALB protocol is HTTPS |
Cloudformation |
4 |
CKV_AWS_3 |
resource |
aws_ebs_volume |
Ensure all data stored in the EBS is securely encrypted |
Terraform |
5 |
CKV_AWS_3 |
resource |
AWS::EC2::Volume |
Ensure all data stored in the EBS is securely encrypted |
Cloudformation |
6 |
CKV_AWS_5 |
resource |
aws_elasticsearch_domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Terraform |
7 |
CKV_AWS_5 |
resource |
AWS::Elasticsearch::Domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Cloudformation |
8 |
CKV_AWS_6 |
resource |
aws_elasticsearch_domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Terraform |
9 |
CKV_AWS_6 |
resource |
AWS::Elasticsearch::Domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Cloudformation |
10 |
CKV_AWS_7 |
resource |
aws_kms_key |
Ensure rotation for customer created CMKs is enabled |
Terraform |
11 |
CKV_AWS_7 |
resource |
AWS::KMS::Key |
Ensure rotation for customer created CMKs is enabled |
Cloudformation |
12 |
CKV_AWS_8 |
resource |
aws_instance |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Terraform |
13 |
CKV_AWS_8 |
resource |
aws_launch_configuration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Terraform |
14 |
CKV_AWS_8 |
resource |
AWS::AutoScaling::LaunchConfiguration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Cloudformation |
15 |
CKV_AWS_9 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy expires passwords within 90 days or less |
Terraform |
16 |
CKV_AWS_10 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires minimum length of 14 or greater |
Terraform |
17 |
CKV_AWS_11 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one lowercase letter |
Terraform |
18 |
CKV_AWS_12 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one number |
Terraform |
19 |
CKV_AWS_13 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy prevents password reuse |
Terraform |
20 |
CKV_AWS_14 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one symbol |
Terraform |
21 |
CKV_AWS_15 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one uppercase letter |
Terraform |
22 |
CKV_AWS_16 |
resource |
aws_db_instance |
Ensure all data stored in the RDS is securely encrypted at rest |
Terraform |
23 |
CKV_AWS_16 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS is securely encrypted at rest |
Cloudformation |
24 |
CKV_AWS_17 |
resource |
aws_db_instance |
Ensure all data stored in the RDS bucket is not public accessible |
Terraform |
25 |
CKV_AWS_17 |
resource |
aws_rds_cluster_instance |
Ensure all data stored in the RDS bucket is not public accessible |
Terraform |
26 |
CKV_AWS_17 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS bucket is not public accessible |
Cloudformation |
27 |
CKV_AWS_18 |
resource |
aws_s3_bucket |
Ensure the S3 bucket has access logging enabled |
Terraform |
28 |
CKV_AWS_18 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has access logging enabled |
Cloudformation |
29 |
CKV_AWS_19 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
Terraform |
30 |
CKV_AWS_19 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has server-side-encryption enabled |
Cloudformation |
31 |
CKV_AWS_20 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public READ access. |
Terraform |
32 |
CKV_AWS_20 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow READ permissions to everyone |
Cloudformation |
33 |
CKV_AWS_21 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket have versioning enabled |
Terraform |
34 |
CKV_AWS_21 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has versioning enabled |
Cloudformation |
35 |
CKV_AWS_22 |
resource |
aws_sagemaker_notebook_instance |
Ensure all data stored in the Sagemaker Notebook is securely encrypted at rest |
Terraform |
36 |
CKV_AWS_23 |
resource |
aws_security_group |
Ensure every security groups rule has a description |
Terraform |
37 |
CKV_AWS_23 |
resource |
aws_security_group_rule |
Ensure every security groups rule has a description |
Terraform |
38 |
CKV_AWS_23 |
resource |
aws_db_security_group |
Ensure every security groups rule has a description |
Terraform |
39 |
CKV_AWS_23 |
resource |
aws_elasticache_security_group |
Ensure every security groups rule has a description |
Terraform |
40 |
CKV_AWS_23 |
resource |
aws_redshift_security_group |
Ensure every security groups rule has a description |
Terraform |
41 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroup |
Ensure every security groups rule has a description |
Cloudformation |
42 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure every security groups rule has a description |
Cloudformation |
43 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupEgress |
Ensure every security groups rule has a description |
Cloudformation |
44 |
CKV_AWS_24 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
45 |
CKV_AWS_24 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
46 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
47 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
48 |
CKV_AWS_25 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
49 |
CKV_AWS_25 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
50 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
51 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
52 |
CKV_AWS_26 |
resource |
aws_sns_topic |
Ensure all data stored in the SNS topic is encrypted |
Terraform |
53 |
CKV_AWS_26 |
resource |
AWS::SNS::Topic |
Ensure all data stored in the SNS topic is encrypted |
Cloudformation |
54 |
CKV_AWS_27 |
resource |
aws_sqs_queue |
Ensure all data stored in the SQS queue is encrypted |
Terraform |
55 |
CKV_AWS_27 |
resource |
AWS::SQS::Queue |
Ensure all data stored in the SQS queue is encrypted |
Cloudformation |
56 |
CKV_AWS_28 |
resource |
aws_dynamodb_table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Terraform |
57 |
CKV_AWS_28 |
resource |
AWS::DynamoDB::Table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Cloudformation |
58 |
CKV_AWS_29 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Terraform |
59 |
CKV_AWS_29 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Cloudformation |
60 |
CKV_AWS_30 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Terraform |
61 |
CKV_AWS_30 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Cloudformation |
62 |
CKV_AWS_31 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Terraform |
63 |
CKV_AWS_31 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Cloudformation |
64 |
CKV_AWS_32 |
resource |
aws_ecr_repository_policy |
Ensure ECR policy is not set to public |
Terraform |
65 |
CKV_AWS_32 |
resource |
AWS::ECR::Repository |
Ensure ECR policy is not set to public |
Cloudformation |
66 |
CKV_AWS_33 |
resource |
aws_ecr_repository |
Ensure ECR image scanning on push is enabled |
Terraform |
67 |
CKV_AWS_33 |
resource |
AWS::KMS::Key |
Ensure KMS key policy does not contain wildcard (*) principal |
Cloudformation |
68 |
CKV_AWS_34 |
resource |
aws_cloudfront_distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Terraform |
69 |
CKV_AWS_34 |
resource |
AWS::CloudFront::Distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Cloudformation |
70 |
CKV_AWS_35 |
resource |
aws_cloudtrail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Terraform |
71 |
CKV_AWS_35 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Cloudformation |
72 |
CKV_AWS_36 |
resource |
aws_cloudtrail |
Ensure CloudTrail log file validation is enabled |
Terraform |
73 |
CKV_AWS_36 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail log file validation is enabled |
Cloudformation |
74 |
CKV_AWS_37 |
resource |
aws_eks_cluster |
Ensure Amazon EKS control plane logging enabled for all log types |
Terraform |
75 |
CKV_AWS_38 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 |
Terraform |
76 |
CKV_AWS_39 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint disabled |
Terraform |
77 |
CKV_AWS_40 |
resource |
aws_iam_user_policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
78 |
CKV_AWS_40 |
resource |
aws_iam_user_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
79 |
CKV_AWS_40 |
resource |
aws_iam_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
80 |
CKV_AWS_40 |
resource |
AWS::IAM::Policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Cloudformation |
81 |
CKV_AWS_41 |
provider |
aws |
Ensure no hard coded AWS access key and secret key exists in provider |
Terraform |
82 |
CKV_AWS_41 |
resource |
serverless_aws |
Ensure no hard coded AWS access key and secret key exists in provider |
serverless |
83 |
CKV_AWS_42 |
resource |
aws_efs_file_system |
Ensure EFS is securely encrypted |
Terraform |
84 |
CKV_AWS_42 |
resource |
AWS::EFS::FileSystem |
Ensure EFS is securely encrypted |
Cloudformation |
85 |
CKV_AWS_43 |
resource |
aws_kinesis_stream |
Ensure Kinesis Stream is securely encrypted |
Terraform |
86 |
CKV_AWS_43 |
resource |
AWS::Kinesis::Stream |
Ensure Kinesis Stream is securely encrypted |
Cloudformation |
87 |
CKV_AWS_44 |
resource |
aws_neptune_cluster |
Ensure Neptune storage is securely encrypted |
Terraform |
88 |
CKV_AWS_44 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune storage is securely encrypted |
Cloudformation |
89 |
CKV_AWS_45 |
resource |
aws_lambda_function |
Ensure no hard coded AWS access key and secret key exists in lambda environment |
Terraform |
90 |
CKV_AWS_46 |
resource |
aws_instance |
Ensure no hard coded AWS access key and secret key exists in EC2 user data |
Terraform |
91 |
CKV_AWS_47 |
resource |
aws_dax_cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Terraform |
92 |
CKV_AWS_47 |
resource |
AWS::DAX::Cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Cloudformation |
93 |
CKV_AWS_48 |
resource |
aws_mq_broker |
Ensure MQ Broker logging is enabled |
Terraform |
94 |
CKV_AWS_49 |
data |
aws_iam_policy_document |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
95 |
CKV_AWS_49 |
resource |
serverless_aws |
Ensure no IAM policies documents allow “*” as a statement’s actions |
serverless |
96 |
CKV_AWS_50 |
resource |
aws_lambda_function |
X-ray tracing is enabled for Lambda |
Terraform |
97 |
CKV_AWS_51 |
resource |
aws_ecr_repository |
Ensure ECR Image Tags are immutable |
Terraform |
98 |
CKV_AWS_51 |
resource |
AWS::ECR::Repository |
Ensure ECR Image Tags are immutable |
Cloudformation |
99 |
CKV_AWS_52 |
resource |
aws_s3_bucket |
Ensure S3 bucket has MFA delete enabled |
Terraform |
100 |
CKV_AWS_53 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public ACLS enabled |
Terraform |
101 |
CKV_AWS_53 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public ACLS enabled |
Cloudformation |
102 |
CKV_AWS_54 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public policy enabled |
Terraform |
103 |
CKV_AWS_54 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public policy enabled |
Cloudformation |
104 |
CKV_AWS_55 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ignore public ACLs enabled |
Terraform |
105 |
CKV_AWS_55 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ignore public ACLs enabled |
Cloudformation |
106 |
CKV_AWS_56 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ‘restrict_public_bucket’ enabled |
Terraform |
107 |
CKV_AWS_56 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ‘restrict_public_bucket’ enabled |
Cloudformation |
108 |
CKV_AWS_57 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public WRITE access. |
Terraform |
109 |
CKV_AWS_57 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow WRITE permissions to everyone |
Cloudformation |
110 |
CKV_AWS_58 |
resource |
aws_eks_cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Terraform |
111 |
CKV_AWS_58 |
resource |
AWS::EKS::Cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Cloudformation |
112 |
CKV_AWS_59 |
resource |
aws_api_gateway_method |
Ensure there is no open access to back-end resources through API |
Terraform |
113 |
CKV_AWS_59 |
resource |
AWS::ApiGateway::Method |
Ensure there is no open access to back-end resources through API |
Cloudformation |
114 |
CKV_AWS_60 |
resource |
aws_iam_role |
Ensure IAM role allows only specific services or principals to assume it |
Terraform |
115 |
CKV_AWS_61 |
resource |
aws_iam_role |
Ensure IAM role allows only specific principals in account to assume it |
Terraform |
116 |
CKV_AWS_61 |
resource |
AWS::IAM::Role |
Ensure IAM role allows only specific principals in account to assume it |
Cloudformation |
117 |
CKV_AWS_62 |
resource |
aws_iam_role_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
118 |
CKV_AWS_62 |
resource |
aws_iam_user_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
119 |
CKV_AWS_62 |
resource |
aws_iam_group_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
120 |
CKV_AWS_62 |
resource |
aws_iam_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
121 |
CKV_AWS_63 |
resource |
aws_iam_role_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
122 |
CKV_AWS_63 |
resource |
aws_iam_user_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
123 |
CKV_AWS_63 |
resource |
aws_iam_group_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
124 |
CKV_AWS_63 |
resource |
aws_iam_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
125 |
CKV_AWS_64 |
resource |
aws_redshift_cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Terraform |
126 |
CKV_AWS_64 |
resource |
AWS::Redshift::Cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Cloudformation |
127 |
CKV_AWS_65 |
resource |
aws_ecs_cluster |
Ensure container insights are enabled on ECS cluster |
Terraform |
128 |
CKV_AWS_65 |
resource |
AWS::ECS::Cluster |
Ensure container insights are enabled on ECS cluster |
Cloudformation |
129 |
CKV_AWS_66 |
resource |
aws_cloudwatch_log_group |
Ensure cloudwatch log groups specify retention days |
Terraform |
130 |
CKV_AWS_66 |
resource |
AWS::Logs::LogGroup |
Ensure cloudwatch log groups specify retention days |
Cloudformation |
131 |
CKV_AWS_67 |
resource |
aws_cloudtrail |
Ensure CloudTrail is enabled in all Regions |
Terraform |
132 |
CKV_AWS_67 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail is enabled in all Regions |
Cloudformation |
133 |
CKV_AWS_68 |
resource |
aws_cloudfront_distribution |
CloudFront Distribution should have WAF enabled |
Terraform |
134 |
CKV_AWS_68 |
resource |
AWS::CloudFront::Distribution |
CloudFront Distribution should have WAF enabled |
Cloudformation |
135 |
CKV_AWS_69 |
resource |
aws_mq_broker |
Ensure MQ Broker is not publicly exposed |
Terraform |
136 |
CKV_AWS_70 |
resource |
aws_s3_bucket |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
137 |
CKV_AWS_70 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
138 |
CKV_AWS_71 |
resource |
aws_redshift_cluster |
Ensure Redshift Cluster logging is enabled |
Terraform |
139 |
CKV_AWS_72 |
resource |
aws_sqs_queue_policy |
Ensure SQS policy does not allow ALL (*) actions. |
Terraform |
140 |
CKV_AWS_73 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has X-Ray Tracing enabled |
Terraform |
141 |
CKV_AWS_73 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
142 |
CKV_AWS_74 |
resource |
aws_docdb_cluster |
Ensure DocDB is encrypted at rest (default is unencrypted) |
Terraform |
143 |
CKV_AWS_74 |
resource |
AWS::DocDB::DBCluster |
Ensure DocDB is encrypted at rest (default is unencrypted) |
Cloudformation |
144 |
CKV_AWS_75 |
resource |
aws_globalaccelerator_accelerator |
Ensure Global Accelerator accelerator has flow logs enabled |
Terraform |
145 |
CKV_AWS_76 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
146 |
CKV_AWS_76 |
resource |
aws_apigatewayv2_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
147 |
CKV_AWS_76 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
148 |
CKV_AWS_77 |
resource |
aws_athena_database |
Ensure Athena Database is encrypted at rest (default is unencrypted) |
Terraform |
149 |
CKV_AWS_78 |
resource |
aws_codebuild_project |
Ensure that CodeBuild Project encryption is not disabled |
Terraform |
150 |
CKV_AWS_79 |
resource |
aws_instance |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
151 |
CKV_AWS_79 |
resource |
aws_launch_template |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
152 |
CKV_AWS_80 |
resource |
aws_msk_cluster |
Ensure MSK Cluster logging is enabled |
Terraform |
153 |
CKV_AWS_81 |
resource |
aws_msk_cluster |
Ensure MSK Cluster encryption in rest and transit is enabled |
Terraform |
154 |
CKV_AWS_82 |
resource |
aws_athena_workgroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Terraform |
155 |
CKV_AWS_82 |
resource |
AWS::Athena::WorkGroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Cloudformation |
156 |
CKV_AWS_83 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain enforces HTTPS |
Terraform |
157 |
CKV_AWS_84 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain Logging is enabled |
Terraform |
158 |
CKV_AWS_85 |
resource |
aws_docdb_cluster |
Ensure DocDB Logging is enabled |
Terraform |
159 |
CKV_AWS_85 |
resource |
AWS::DocDB::DBCluster |
Ensure DocDB Logging is enabled |
Cloudformation |
160 |
CKV_AWS_86 |
resource |
aws_cloudfront_distribution |
Ensure Cloudfront distribution has Access Logging enabled |
Terraform |
161 |
CKV_AWS_86 |
resource |
AWS::CloudFront::Distribution |
Ensure Cloudfront distribution has Access Logging enabled |
Cloudformation |
162 |
CKV_AWS_87 |
resource |
aws_redshift_cluster |
Redshift cluster should not be publicly accessible |
Terraform |
163 |
CKV_AWS_88 |
resource |
aws_instance |
EC2 instance should not have public IP. |
Terraform |
164 |
CKV_AWS_88 |
resource |
aws_launch_template |
EC2 instance should not have public IP. |
Terraform |
165 |
CKV_AWS_89 |
resource |
aws_dms_replication_instance |
DMS replication instance should not be publicly accessible |
Terraform |
166 |
CKV_AWS_90 |
resource |
aws_docdb_cluster_parameter_group |
Ensure DocDB TLS is not disabled |
Terraform |
167 |
CKV_AWS_90 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocDB TLS is not disabled |
Cloudformation |
168 |
CKV_AWS_91 |
resource |
aws_lb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
169 |
CKV_AWS_91 |
resource |
aws_alb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
170 |
CKV_AWS_92 |
resource |
aws_elb |
Ensure the ELB has access logging enabled |
Terraform |
171 |
CKV_AWS_93 |
resource |
aws_s3_bucket |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
172 |
CKV_AWS_93 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
173 |
CKV_AWS_94 |
resource |
aws_glue_data_catalog_encryption_settings |
Ensure Glue Data Catalog Encryption is enabled |
Terraform |
174 |
CKV_AWS_95 |
resource |
AWS::ApiGatewayV2::Stage |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
175 |
CKV_AWS_96 |
resource |
aws_rds_cluster |
Ensure all data stored in Aurrora is securely encrypted at rest |
Terraform |
176 |
CKV_AWS_96 |
resource |
AWS::RDS::DBCluster |
Ensure all data stored in Aurrora is securely encrypted at rest |
Cloudformation |
177 |
CKV_AWS_97 |
resource |
aws_ecs_task_definition |
Ensure Encryption in transit is enabled for ECS Task defintion EFS volumes |
Terraform |
178 |
CKV_AWS_98 |
resource |
aws_sagemaker_endpoint_configuration |
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest |
Terraform |
179 |
CKV_AWS_99 |
resource |
aws_glue_security_configuration |
Ensure Glue Security Configuration Encryption is enabled |
Terraform |
180 |
CKV_AWS_100 |
resource |
aws_eks_node_group |
Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 |
Terraform |
181 |
CKV_AZURE_1 |
resource |
azurerm_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
182 |
CKV_AZURE_1 |
resource |
azurerm_linux_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
183 |
CKV_AZURE_1 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
arm |
184 |
CKV_AZURE_2 |
resource |
azurerm_managed_disk |
Ensure Azure managed disk have encryption enabled |
Terraform |
185 |
CKV_AZURE_2 |
resource |
Microsoft.Compute/disks |
Ensure Azure managed disk have encryption enabled |
arm |
186 |
CKV_AZURE_3 |
resource |
azurerm_storage_account |
Ensure that ‘Secure transfer required’ is set to ‘Enabled’ |
Terraform |
187 |
CKV_AZURE_3 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that ‘supportsHttpsTrafficOnly’ is set to ‘true’ |
arm |
188 |
CKV_AZURE_4 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS logging to Azure Monitoring is Configured |
Terraform |
189 |
CKV_AZURE_4 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS logging to Azure Monitoring is Configured |
arm |
190 |
CKV_AZURE_5 |
resource |
azurerm_kubernetes_cluster |
Ensure RBAC is enabled on AKS clusters |
Terraform |
191 |
CKV_AZURE_5 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure RBAC is enabled on AKS clusters |
arm |
192 |
CKV_AZURE_6 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS has an API Server Authorized IP Ranges enabled |
Terraform |
193 |
CKV_AZURE_6 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS has an API Server Authorized IP Ranges enabled |
arm |
194 |
CKV_AZURE_7 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster has Network Policy configured |
Terraform |
195 |
CKV_AZURE_7 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS cluster has Network Policy configured |
arm |
196 |
CKV_AZURE_8 |
resource |
azurerm_kubernetes_cluster |
Ensure Kube Dashboard is disabled |
Terraform |
197 |
CKV_AZURE_8 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Kubernetes Dashboard is disabled |
arm |
198 |
CKV_AZURE_9 |
resource |
azurerm_network_security_rule |
Ensure that RDP access is restricted from the internet |
Terraform |
199 |
CKV_AZURE_9 |
resource |
azurerm_network_security_group |
Ensure that RDP access is restricted from the internet |
Terraform |
200 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that RDP access is restricted from the internet |
arm |
201 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that RDP access is restricted from the internet |
arm |
202 |
CKV_AZURE_10 |
resource |
azurerm_network_security_rule |
Ensure that SSH access is restricted from the internet |
Terraform |
203 |
CKV_AZURE_10 |
resource |
azurerm_network_security_group |
Ensure that SSH access is restricted from the internet |
Terraform |
204 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that SSH access is restricted from the internet |
arm |
205 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that SSH access is restricted from the internet |
arm |
206 |
CKV_AZURE_11 |
resource |
azurerm_mariadb_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
207 |
CKV_AZURE_11 |
resource |
azurerm_sql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
208 |
CKV_AZURE_11 |
resource |
azurerm_postgresql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
209 |
CKV_AZURE_11 |
resource |
azurerm_mysql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
210 |
CKV_AZURE_11 |
resource |
Microsoft.Sql/servers |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
arm |
211 |
CKV_AZURE_12 |
resource |
azurerm_network_watcher_flow_log |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Terraform |
212 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
213 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
214 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
215 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
216 |
CKV_AZURE_13 |
resource |
azurerm_app_service |
Ensure App Service Authentication is set on Azure App Service |
Terraform |
217 |
CKV_AZURE_13 |
resource |
Microsoft.Web/sites/config |
Ensure App Service Authentication is set on Azure App Service |
arm |
218 |
CKV_AZURE_13 |
resource |
config |
Ensure App Service Authentication is set on Azure App Service |
arm |
219 |
CKV_AZURE_14 |
resource |
azurerm_app_service |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Terraform |
220 |
CKV_AZURE_14 |
resource |
Microsoft.Web/sites |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
arm |
221 |
CKV_AZURE_15 |
resource |
azurerm_app_service |
Ensure web app is using the latest version of TLS encryption |
Terraform |
222 |
CKV_AZURE_15 |
resource |
Microsoft.Web/sites |
Ensure web app is using the latest version of TLS encryption |
arm |
223 |
CKV_AZURE_16 |
resource |
azurerm_app_service |
Ensure that Register with Azure Active Directory is enabled on App Service |
Terraform |
224 |
CKV_AZURE_16 |
resource |
Microsoft.Web/sites |
Ensure that Register with Azure Active Directory is enabled on App Service |
arm |
225 |
CKV_AZURE_17 |
resource |
azurerm_app_service |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
Terraform |
226 |
CKV_AZURE_17 |
resource |
Microsoft.Web/sites |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
arm |
227 |
CKV_AZURE_18 |
resource |
azurerm_app_service |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
Terraform |
228 |
CKV_AZURE_18 |
resource |
Microsoft.Web/sites |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
arm |
229 |
CKV_AZURE_19 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that standard pricing tier is selected |
Terraform |
230 |
CKV_AZURE_19 |
resource |
Microsoft.Security/pricings |
Ensure that standard pricing tier is selected |
arm |
231 |
CKV_AZURE_20 |
resource |
azurerm_security_center_contact |
Ensure that security contact ‘Phone number’ is set |
Terraform |
232 |
CKV_AZURE_20 |
resource |
Microsoft.Security/securityContacts |
Ensure that security contact ‘Phone number’ is set |
arm |
233 |
CKV_AZURE_21 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
234 |
CKV_AZURE_21 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
235 |
CKV_AZURE_22 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
236 |
CKV_AZURE_22 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
237 |
CKV_AZURE_23 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
238 |
CKV_AZURE_23 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
239 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers |
arm |
240 |
CKV_AZURE_24 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
241 |
CKV_AZURE_24 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
242 |
CKV_AZURE_24 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
arm |
243 |
CKV_AZURE_25 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
Terraform |
244 |
CKV_AZURE_25 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
arm |
245 |
CKV_AZURE_26 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
Terraform |
246 |
CKV_AZURE_26 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
arm |
247 |
CKV_AZURE_27 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
Terraform |
248 |
CKV_AZURE_27 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
arm |
249 |
CKV_AZURE_28 |
resource |
azurerm_mysql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
Terraform |
250 |
CKV_AZURE_28 |
resource |
Microsoft.DBforMySQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
arm |
251 |
CKV_AZURE_29 |
resource |
azurerm_postgresql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
Terraform |
252 |
CKV_AZURE_29 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
arm |
253 |
CKV_AZURE_30 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
254 |
CKV_AZURE_30 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
255 |
CKV_AZURE_30 |
resource |
configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
256 |
CKV_AZURE_31 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
257 |
CKV_AZURE_31 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
258 |
CKV_AZURE_31 |
resource |
configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
259 |
CKV_AZURE_32 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
260 |
CKV_AZURE_32 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
261 |
CKV_AZURE_32 |
resource |
configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
262 |
CKV_AZURE_33 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
Terraform |
263 |
CKV_AZURE_33 |
resource |
Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
arm |
264 |
CKV_AZURE_34 |
resource |
azurerm_storage_container |
Ensure that ‘Public access level’ is set to Private for blob containers |
Terraform |
265 |
CKV_AZURE_34 |
resource |
Microsoft.Storage/storageAccounts/blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
266 |
CKV_AZURE_34 |
resource |
containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
267 |
CKV_AZURE_34 |
resource |
blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
268 |
CKV_AZURE_35 |
resource |
azurerm_storage_account |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
269 |
CKV_AZURE_35 |
resource |
azurerm_storage_account_network_rules |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
270 |
CKV_AZURE_35 |
resource |
Microsoft.Storage/storageAccounts |
Ensure default network access rule for Storage Accounts is set to deny |
arm |
271 |
CKV_AZURE_36 |
resource |
azurerm_storage_account |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
272 |
CKV_AZURE_36 |
resource |
azurerm_storage_account_network_rules |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
273 |
CKV_AZURE_36 |
resource |
Microsoft.Storage/storageAccounts |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
arm |
274 |
CKV_AZURE_37 |
resource |
azurerm_monitor_log_profile |
Ensure that Activity Log Retention is set 365 days or greater |
Terraform |
275 |
CKV_AZURE_37 |
resource |
microsoft.insights/logprofiles |
Ensure that Activity Log Retention is set 365 days or greater |
arm |
276 |
CKV_AZURE_38 |
resource |
azurerm_monitor_log_profile |
Ensure audit profile captures all the activities |
Terraform |
277 |
CKV_AZURE_38 |
resource |
microsoft.insights/logprofiles |
Ensure audit profile captures all the activities |
arm |
278 |
CKV_AZURE_39 |
resource |
azurerm_role_definition |
Ensure that no custom subscription owner roles are created |
Terraform |
279 |
CKV_AZURE_39 |
resource |
Microsoft.Authorization/roleDefinitions |
Ensure that no custom subscription owner roles are created |
arm |
280 |
CKV_AZURE_40 |
resource |
azurerm_key_vault_key |
Ensure that the expiration date is set on all keys |
Terraform |
281 |
CKV_AZURE_41 |
resource |
azurerm_key_vault_secret |
Ensure that the expiration date is set on all secrets |
Terraform |
282 |
CKV_AZURE_41 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that the expiration date is set on all secrets |
arm |
283 |
CKV_AZURE_42 |
resource |
azurerm_key_vault |
Ensure the key vault is recoverable |
Terraform |
284 |
CKV_AZURE_42 |
resource |
Microsoft.KeyVault/vaults |
Ensure the key vault is recoverable |
arm |
285 |
CKV_AZURE_43 |
resource |
azurerm_storage_account |
Ensure the Storage Account naming rules |
Terraform |
286 |
CKV_AZURE_44 |
resource |
azurerm_storage_account |
Ensure Storage Account is using the latest version of TLS encryption |
Terraform |
287 |
CKV_AZURE_45 |
resource |
azurerm_virtual_machine |
Ensure that no sensitive credentials are exposed in VM custom_data |
Terraform |
288 |
CKV_GCP_1 |
resource |
google_container_cluster |
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Terraform |
289 |
CKV_GCP_2 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted ssh access |
Terraform |
290 |
CKV_GCP_3 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted rdp access |
Terraform |
291 |
CKV_GCP_4 |
resource |
google_compute_ssl_policy |
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites |
Terraform |
292 |
CKV_GCP_5 |
resource |
google_storage_bucket |
Ensure Google storage bucket have encryption enabled |
Terraform |
293 |
CKV_GCP_6 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance requires all incoming connections to use SSL |
Terraform |
294 |
CKV_GCP_7 |
resource |
google_container_cluster |
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
Terraform |
295 |
CKV_GCP_8 |
resource |
google_container_cluster |
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Terraform |
296 |
CKV_GCP_9 |
resource |
google_container_node_pool |
Ensure ‘Automatic node repair’ is enabled for Kubernetes Clusters |
Terraform |
297 |
CKV_GCP_10 |
resource |
google_container_node_pool |
Ensure ‘Automatic node upgrade’ is enabled for Kubernetes Clusters |
Terraform |
298 |
CKV_GCP_11 |
resource |
google_sql_database_instance |
Ensure that Cloud SQL database Instances are not open to the world |
Terraform |
299 |
CKV_GCP_12 |
resource |
google_container_cluster |
Ensure Network Policy is enabled on Kubernetes Engine Clusters |
Terraform |
300 |
CKV_GCP_13 |
resource |
google_container_cluster |
Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters |
Terraform |
301 |
CKV_GCP_14 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance have backup configuration enabled |
Terraform |
302 |
CKV_GCP_15 |
resource |
google_bigquery_dataset |
Ensure that BigQuery datasets are not anonymously or publicly accessible |
Terraform |
303 |
CKV_GCP_16 |
resource |
google_dns_managed_zone |
Ensure that DNSSEC is enabled for Cloud DNS |
Terraform |
304 |
CKV_GCP_17 |
resource |
google_dns_managed_zone |
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC |
Terraform |
305 |
CKV_GCP_18 |
resource |
google_container_cluster |
Ensure GKE Control Plane is not public |
Terraform |
306 |
CKV_GCP_19 |
resource |
google_container_cluster |
Ensure GKE basic auth is disabled |
Terraform |
307 |
CKV_GCP_20 |
resource |
google_container_cluster |
Ensure master authorized networks is set to enabled in GKE clusters |
Terraform |
308 |
CKV_GCP_21 |
resource |
google_container_cluster |
Ensure Kubernetes Clusters are configured with Labels |
Terraform |
309 |
CKV_GCP_22 |
resource |
google_container_node_pool |
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Terraform |
310 |
CKV_GCP_23 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
Terraform |
311 |
CKV_GCP_24 |
resource |
google_container_cluster |
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters |
Terraform |
312 |
CKV_GCP_25 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Private cluster enabled |
Terraform |
313 |
CKV_GCP_26 |
resource |
google_compute_subnetwork |
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network |
Terraform |
314 |
CKV_GCP_27 |
resource |
google_project |
Ensure that the default network does not exist in a project |
Terraform |
315 |
CKV_GCP_28 |
resource |
google_storage_bucket_iam_member |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Terraform |
316 |
CKV_GCP_28 |
resource |
google_storage_bucket_iam_binding |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Terraform |
317 |
CKV_GCP_29 |
resource |
google_storage_bucket |
Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
Terraform |
318 |
CKV_GCP_30 |
resource |
google_compute_instance |
Ensure that instances are not configured to use the default service account |
Terraform |
319 |
CKV_GCP_31 |
resource |
google_compute_instance |
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
Terraform |
320 |
CKV_GCP_32 |
resource |
google_compute_instance |
Ensure ‘Block Project-wide SSH keys’ is enabled for VM instances |
Terraform |
321 |
CKV_GCP_33 |
resource |
google_compute_project_metadata |
Ensure oslogin is enabled for a Project |
Terraform |
322 |
CKV_GCP_34 |
resource |
google_compute_instance |
Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) |
Terraform |
323 |
CKV_GCP_35 |
resource |
google_compute_instance |
Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance |
Terraform |
324 |
CKV_GCP_36 |
resource |
google_compute_instance |
Ensure that IP forwarding is not enabled on Instances |
Terraform |
325 |
CKV_GCP_37 |
resource |
google_compute_disk |
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
326 |
CKV_GCP_38 |
resource |
google_compute_instance |
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
327 |
CKV_GCP_39 |
resource |
google_compute_instance |
Ensure Compute instances are launched with Shielded VM enabled |
Terraform |
328 |
CKV_GCP_40 |
resource |
google_compute_instance |
Ensure that Compute instances do not have public IP addresses |
Terraform |
329 |
CKV_GCP_41 |
resource |
google_project_iam_member |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
Terraform |
330 |
CKV_GCP_41 |
resource |
google_project_iam_binding |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
Terraform |
331 |
CKV_GCP_42 |
resource |
google_project_iam_member |
Ensure that Service Account has no Admin privileges |
Terraform |
332 |
CKV_GCP_43 |
resource |
google_kms_crypto_key |
Ensure KMS encryption keys are rotated within a period of 90 days |
Terraform |
333 |
CKV_GCP_44 |
resource |
google_folder_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level |
Terraform |
334 |
CKV_GCP_44 |
resource |
google_folder_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level |
Terraform |
335 |
CKV_GCP_45 |
resource |
google_organization_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level |
Terraform |
336 |
CKV_GCP_45 |
resource |
google_organization_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level |
Terraform |
337 |
CKV_GCP_46 |
resource |
google_project_iam_member |
Ensure Default Service account is not used at a project level |
Terraform |
338 |
CKV_GCP_46 |
resource |
google_project_iam_binding |
Ensure Default Service account is not used at a project level |
Terraform |
339 |
CKV_GCP_47 |
resource |
google_organization_iam_member |
Ensure default service account is not used at an organization level |
Terraform |
340 |
CKV_GCP_47 |
resource |
google_organization_iam_binding |
Ensure default service account is not used at an organization level |
Terraform |
341 |
CKV_GCP_48 |
resource |
google_folder_iam_member |
Ensure Default Service account is not used at a folder level |
Terraform |
342 |
CKV_GCP_48 |
resource |
google_folder_iam_binding |
Ensure Default Service account is not used at a folder level |
Terraform |
343 |
CKV_GCP_49 |
resource |
google_project_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at a project level |
Terraform |
344 |
CKV_GCP_49 |
resource |
google_project_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at a project level |
Terraform |
345 |
CKV_GCP_50 |
resource |
google_sql_database_instance |
Ensure MySQL database ‘local_infile’ flag is set to ‘off’ |
Terraform |
346 |
CKV_GCP_51 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_checkpoints’ flag is set to ‘on’ |
Terraform |
347 |
CKV_GCP_52 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_connections’ flag is set to ‘on’ |
Terraform |
348 |
CKV_GCP_53 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_disconnections’ flag is set to ‘on’ |
Terraform |
349 |
CKV_GCP_54 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_lock_waits’ flag is set to ‘on’ |
Terraform |
350 |
CKV_GCP_55 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_min_messages’ flag is set to a valid value |
Terraform |
351 |
CKV_GCP_56 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_temp_files flag is set to ‘0’ |
Terraform |
352 |
CKV_GCP_57 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_min_duration_statement’ flag is set to ‘-1’ |
Terraform |
353 |
CKV_GCP_58 |
resource |
google_sql_database_instance |
Ensure SQL database ‘cross db ownership chaining’ flag is set to ‘off’ |
Terraform |
354 |
CKV_GCP_59 |
resource |
google_sql_database_instance |
Ensure SQL database ‘contained database authentication’ flag is set to ‘off’ |
Terraform |
355 |
CKV_GCP_60 |
resource |
google_sql_database_instance |
Ensure SQL database do not have public IP |
Terraform |
356 |
CKV_GIT_1 |
resource |
github_repository |
Ensure Repository is Private |
Terraform |
357 |
CKV_K8S_1 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers wishing to share the host process ID namespace |
Kubernetes |
358 |
CKV_K8S_2 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit privileged containers |
Kubernetes |
359 |
CKV_K8S_3 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers wishing to share the host IPC namespace |
Kubernetes |
360 |
CKV_K8S_4 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers wishing to share the host network namespace |
Kubernetes |
361 |
CKV_K8S_5 |
PodSecurityPolicy |
PodSecurityPolicy |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
362 |
CKV_K8S_6 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit root containers |
Kubernetes |
363 |
CKV_K8S_7 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not admit containers with the NET_RAW capability |
Kubernetes |
364 |
CKV_K8S_8 |
PodSecurityPolicy |
containers |
Liveness Probe Should be Configured |
Kubernetes |
365 |
CKV_K8S_9 |
PodSecurityPolicy |
containers |
Readiness Probe Should be Configured |
Kubernetes |
366 |
CKV_K8S_10 |
PodSecurityPolicy |
containers |
CPU requests should be set |
Kubernetes |
367 |
CKV_K8S_10 |
PodSecurityPolicy |
initContainers |
CPU requests should be set |
Kubernetes |
368 |
CKV_K8S_11 |
PodSecurityPolicy |
containers |
CPU limits should be set |
Kubernetes |
369 |
CKV_K8S_11 |
PodSecurityPolicy |
initContainers |
CPU limits should be set |
Kubernetes |
370 |
CKV_K8S_12 |
PodSecurityPolicy |
containers |
Memory requests should be set |
Kubernetes |
371 |
CKV_K8S_12 |
PodSecurityPolicy |
initContainers |
Memory requests should be set |
Kubernetes |
372 |
CKV_K8S_13 |
PodSecurityPolicy |
containers |
Memory limits should be set |
Kubernetes |
373 |
CKV_K8S_13 |
PodSecurityPolicy |
initContainers |
Memory limits should be set |
Kubernetes |
374 |
CKV_K8S_14 |
PodSecurityPolicy |
containers |
Image Tag should be fixed - not latest or blank |
Kubernetes |
375 |
CKV_K8S_14 |
PodSecurityPolicy |
initContainers |
Image Tag should be fixed - not latest or blank |
Kubernetes |
376 |
CKV_K8S_15 |
PodSecurityPolicy |
containers |
Image Pull Policy should be Always |
Kubernetes |
377 |
CKV_K8S_15 |
PodSecurityPolicy |
initContainers |
Image Pull Policy should be Always |
Kubernetes |
378 |
CKV_K8S_16 |
PodSecurityPolicy |
containers |
Container should not be privileged |
Kubernetes |
379 |
CKV_K8S_16 |
PodSecurityPolicy |
initContainers |
Container should not be privileged |
Kubernetes |
380 |
CKV_K8S_17 |
PodSecurityPolicy |
Pod |
Containers should not share the host process ID namespace |
Kubernetes |
381 |
CKV_K8S_17 |
PodSecurityPolicy |
Deployment |
Containers should not share the host process ID namespace |
Kubernetes |
382 |
CKV_K8S_17 |
PodSecurityPolicy |
DaemonSet |
Containers should not share the host process ID namespace |
Kubernetes |
383 |
CKV_K8S_17 |
PodSecurityPolicy |
StatefulSet |
Containers should not share the host process ID namespace |
Kubernetes |
384 |
CKV_K8S_17 |
PodSecurityPolicy |
ReplicaSet |
Containers should not share the host process ID namespace |
Kubernetes |
385 |
CKV_K8S_17 |
PodSecurityPolicy |
ReplicationController |
Containers should not share the host process ID namespace |
Kubernetes |
386 |
CKV_K8S_17 |
PodSecurityPolicy |
Job |
Containers should not share the host process ID namespace |
Kubernetes |
387 |
CKV_K8S_17 |
PodSecurityPolicy |
CronJob |
Containers should not share the host process ID namespace |
Kubernetes |
388 |
CKV_K8S_18 |
PodSecurityPolicy |
Pod |
Containers should not share the host IPC namespace |
Kubernetes |
389 |
CKV_K8S_18 |
PodSecurityPolicy |
Deployment |
Containers should not share the host IPC namespace |
Kubernetes |
390 |
CKV_K8S_18 |
PodSecurityPolicy |
DaemonSet |
Containers should not share the host IPC namespace |
Kubernetes |
391 |
CKV_K8S_18 |
PodSecurityPolicy |
StatefulSet |
Containers should not share the host IPC namespace |
Kubernetes |
392 |
CKV_K8S_18 |
PodSecurityPolicy |
ReplicaSet |
Containers should not share the host IPC namespace |
Kubernetes |
393 |
CKV_K8S_18 |
PodSecurityPolicy |
ReplicationController |
Containers should not share the host IPC namespace |
Kubernetes |
394 |
CKV_K8S_18 |
PodSecurityPolicy |
Job |
Containers should not share the host IPC namespace |
Kubernetes |
395 |
CKV_K8S_18 |
PodSecurityPolicy |
CronJob |
Containers should not share the host IPC namespace |
Kubernetes |
396 |
CKV_K8S_19 |
PodSecurityPolicy |
Pod |
Containers should not share the host network namespace |
Kubernetes |
397 |
CKV_K8S_19 |
PodSecurityPolicy |
Deployment |
Containers should not share the host network namespace |
Kubernetes |
398 |
CKV_K8S_19 |
PodSecurityPolicy |
DaemonSet |
Containers should not share the host network namespace |
Kubernetes |
399 |
CKV_K8S_19 |
PodSecurityPolicy |
StatefulSet |
Containers should not share the host network namespace |
Kubernetes |
400 |
CKV_K8S_19 |
PodSecurityPolicy |
ReplicaSet |
Containers should not share the host network namespace |
Kubernetes |
401 |
CKV_K8S_19 |
PodSecurityPolicy |
ReplicationController |
Containers should not share the host network namespace |
Kubernetes |
402 |
CKV_K8S_19 |
PodSecurityPolicy |
Job |
Containers should not share the host network namespace |
Kubernetes |
403 |
CKV_K8S_19 |
PodSecurityPolicy |
CronJob |
Containers should not share the host network namespace |
Kubernetes |
404 |
CKV_K8S_20 |
PodSecurityPolicy |
containers |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
405 |
CKV_K8S_20 |
PodSecurityPolicy |
initContainers |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
406 |
CKV_K8S_21 |
PodSecurityPolicy |
Service |
The default namespace should not be used |
Kubernetes |
407 |
CKV_K8S_21 |
PodSecurityPolicy |
RoleBinding |
The default namespace should not be used |
Kubernetes |
408 |
CKV_K8S_21 |
PodSecurityPolicy |
Pod |
The default namespace should not be used |
Kubernetes |
409 |
CKV_K8S_21 |
PodSecurityPolicy |
Deployment |
The default namespace should not be used |
Kubernetes |
410 |
CKV_K8S_21 |
PodSecurityPolicy |
DaemonSet |
The default namespace should not be used |
Kubernetes |
411 |
CKV_K8S_21 |
PodSecurityPolicy |
StatefulSet |
The default namespace should not be used |
Kubernetes |
412 |
CKV_K8S_21 |
PodSecurityPolicy |
ReplicaSet |
The default namespace should not be used |
Kubernetes |
413 |
CKV_K8S_21 |
PodSecurityPolicy |
ReplicationController |
The default namespace should not be used |
Kubernetes |
414 |
CKV_K8S_21 |
PodSecurityPolicy |
Job |
The default namespace should not be used |
Kubernetes |
415 |
CKV_K8S_21 |
PodSecurityPolicy |
CronJob |
The default namespace should not be used |
Kubernetes |
416 |
CKV_K8S_21 |
PodSecurityPolicy |
Secret |
The default namespace should not be used |
Kubernetes |
417 |
CKV_K8S_21 |
PodSecurityPolicy |
ServiceAccount |
The default namespace should not be used |
Kubernetes |
418 |
CKV_K8S_21 |
PodSecurityPolicy |
Role |
The default namespace should not be used |
Kubernetes |
419 |
CKV_K8S_21 |
PodSecurityPolicy |
ConfigMap |
The default namespace should not be used |
Kubernetes |
420 |
CKV_K8S_21 |
PodSecurityPolicy |
Ingress |
The default namespace should not be used |
Kubernetes |
421 |
CKV_K8S_22 |
PodSecurityPolicy |
containers |
Use read-only filesystem for containers where possible |
Kubernetes |
422 |
CKV_K8S_22 |
PodSecurityPolicy |
initContainers |
Use read-only filesystem for containers where possible |
Kubernetes |
423 |
CKV_K8S_23 |
PodSecurityPolicy |
Pod |
Minimize the admission of root containers |
Kubernetes |
424 |
CKV_K8S_23 |
PodSecurityPolicy |
Deployment |
Minimize the admission of root containers |
Kubernetes |
425 |
CKV_K8S_23 |
PodSecurityPolicy |
DaemonSet |
Minimize the admission of root containers |
Kubernetes |
426 |
CKV_K8S_23 |
PodSecurityPolicy |
StatefulSet |
Minimize the admission of root containers |
Kubernetes |
427 |
CKV_K8S_23 |
PodSecurityPolicy |
ReplicaSet |
Minimize the admission of root containers |
Kubernetes |
428 |
CKV_K8S_23 |
PodSecurityPolicy |
ReplicationController |
Minimize the admission of root containers |
Kubernetes |
429 |
CKV_K8S_23 |
PodSecurityPolicy |
Job |
Minimize the admission of root containers |
Kubernetes |
430 |
CKV_K8S_23 |
PodSecurityPolicy |
CronJob |
Minimize the admission of root containers |
Kubernetes |
431 |
CKV_K8S_24 |
PodSecurityPolicy |
PodSecurityPolicy |
Do not allow containers with added capability |
Kubernetes |
432 |
CKV_K8S_25 |
PodSecurityPolicy |
containers |
Minimize the admission of containers with added capability |
Kubernetes |
433 |
CKV_K8S_25 |
PodSecurityPolicy |
initContainers |
Minimize the admission of containers with added capability |
Kubernetes |
434 |
CKV_K8S_26 |
PodSecurityPolicy |
containers |
Do not specify hostPort unless absolutely necessary |
Kubernetes |
435 |
CKV_K8S_26 |
PodSecurityPolicy |
initContainers |
Do not specify hostPort unless absolutely necessary |
Kubernetes |
436 |
CKV_K8S_27 |
PodSecurityPolicy |
Pod |
Do not expose the docker daemon socket to containers |
Kubernetes |
437 |
CKV_K8S_27 |
PodSecurityPolicy |
Deployment |
Do not expose the docker daemon socket to containers |
Kubernetes |
438 |
CKV_K8S_27 |
PodSecurityPolicy |
DaemonSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
439 |
CKV_K8S_27 |
PodSecurityPolicy |
StatefulSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
440 |
CKV_K8S_27 |
PodSecurityPolicy |
ReplicaSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
441 |
CKV_K8S_27 |
PodSecurityPolicy |
ReplicationController |
Do not expose the docker daemon socket to containers |
Kubernetes |
442 |
CKV_K8S_27 |
PodSecurityPolicy |
Job |
Do not expose the docker daemon socket to containers |
Kubernetes |
443 |
CKV_K8S_27 |
PodSecurityPolicy |
CronJob |
Do not expose the docker daemon socket to containers |
Kubernetes |
444 |
CKV_K8S_28 |
PodSecurityPolicy |
containers |
Minimize the admission of containers with the NET_RAW capability |
Kubernetes |
445 |
CKV_K8S_28 |
PodSecurityPolicy |
initContainers |
Minimize the admission of containers with the NET_RAW capability |
Kubernetes |
446 |
CKV_K8S_29 |
PodSecurityPolicy |
Pod |
Apply security context to your pods and containers |
Kubernetes |
447 |
CKV_K8S_29 |
PodSecurityPolicy |
Deployment |
Apply security context to your pods and containers |
Kubernetes |
448 |
CKV_K8S_29 |
PodSecurityPolicy |
DaemonSet |
Apply security context to your pods and containers |
Kubernetes |
449 |
CKV_K8S_29 |
PodSecurityPolicy |
StatefulSet |
Apply security context to your pods and containers |
Kubernetes |
450 |
CKV_K8S_29 |
PodSecurityPolicy |
ReplicaSet |
Apply security context to your pods and containers |
Kubernetes |
451 |
CKV_K8S_29 |
PodSecurityPolicy |
ReplicationController |
Apply security context to your pods and containers |
Kubernetes |
452 |
CKV_K8S_29 |
PodSecurityPolicy |
Job |
Apply security context to your pods and containers |
Kubernetes |
453 |
CKV_K8S_29 |
PodSecurityPolicy |
CronJob |
Apply security context to your pods and containers |
Kubernetes |
454 |
CKV_K8S_30 |
PodSecurityPolicy |
containers |
Apply security context to your pods and containers |
Kubernetes |
455 |
CKV_K8S_30 |
PodSecurityPolicy |
initContainers |
Apply security context to your pods and containers |
Kubernetes |
456 |
CKV_K8S_31 |
PodSecurityPolicy |
Pod |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
457 |
CKV_K8S_31 |
PodSecurityPolicy |
Deployment |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
458 |
CKV_K8S_31 |
PodSecurityPolicy |
DaemonSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
459 |
CKV_K8S_31 |
PodSecurityPolicy |
StatefulSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
460 |
CKV_K8S_31 |
PodSecurityPolicy |
ReplicaSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
461 |
CKV_K8S_31 |
PodSecurityPolicy |
ReplicationController |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
462 |
CKV_K8S_31 |
PodSecurityPolicy |
Job |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
463 |
CKV_K8S_31 |
PodSecurityPolicy |
CronJob |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
464 |
CKV_K8S_32 |
PodSecurityPolicy |
PodSecurityPolicy |
Ensure default seccomp profile set to docker/default or runtime/default |
Kubernetes |
465 |
CKV_K8S_33 |
PodSecurityPolicy |
containers |
Ensure the Kubernetes dashboard is not deployed |
Kubernetes |
466 |
CKV_K8S_33 |
PodSecurityPolicy |
initContainers |
Ensure the Kubernetes dashboard is not deployed |
Kubernetes |
467 |
CKV_K8S_34 |
PodSecurityPolicy |
containers |
Ensure that Tiller (Helm v2) is not deployed |
Kubernetes |
468 |
CKV_K8S_34 |
PodSecurityPolicy |
initContainers |
Ensure that Tiller (Helm v2) is not deployed |
Kubernetes |
469 |
CKV_K8S_35 |
PodSecurityPolicy |
containers |
Prefer using secrets as files over secrets as environment variables |
Kubernetes |
470 |
CKV_K8S_35 |
PodSecurityPolicy |
initContainers |
Prefer using secrets as files over secrets as environment variables |
Kubernetes |
471 |
CKV_K8S_36 |
PodSecurityPolicy |
PodSecurityPolicy |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
472 |
CKV_K8S_37 |
PodSecurityPolicy |
containers |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
473 |
CKV_K8S_37 |
PodSecurityPolicy |
initContainers |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
474 |
CKV_K8S_38 |
PodSecurityPolicy |
Pod |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
475 |
CKV_K8S_38 |
PodSecurityPolicy |
Deployment |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
476 |
CKV_K8S_38 |
PodSecurityPolicy |
DaemonSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
477 |
CKV_K8S_38 |
PodSecurityPolicy |
StatefulSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
478 |
CKV_K8S_38 |
PodSecurityPolicy |
ReplicaSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
479 |
CKV_K8S_38 |
PodSecurityPolicy |
ReplicationController |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
480 |
CKV_K8S_38 |
PodSecurityPolicy |
Job |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
481 |
CKV_K8S_38 |
PodSecurityPolicy |
CronJob |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
482 |
CKV_K8S_39 |
PodSecurityPolicy |
containers |
Do not use the CAP_SYS_ADMIN linux capability |
Kubernetes |
483 |
CKV_K8S_39 |
PodSecurityPolicy |
initContainers |
Do not use the CAP_SYS_ADMIN linux capability |
Kubernetes |
484 |
CKV_K8S_40 |
PodSecurityPolicy |
Pod |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
485 |
CKV_K8S_40 |
PodSecurityPolicy |
Deployment |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
486 |
CKV_K8S_40 |
PodSecurityPolicy |
DaemonSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
487 |
CKV_K8S_40 |
PodSecurityPolicy |
StatefulSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
488 |
CKV_K8S_40 |
PodSecurityPolicy |
ReplicaSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
489 |
CKV_K8S_40 |
PodSecurityPolicy |
ReplicationController |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
490 |
CKV_K8S_40 |
PodSecurityPolicy |
Job |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
491 |
CKV_K8S_40 |
PodSecurityPolicy |
CronJob |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
492 |
CKV_K8S_41 |
PodSecurityPolicy |
ServiceAccount |
Ensure that default service accounts are not actively used |
Kubernetes |
493 |
CKV_K8S_42 |
PodSecurityPolicy |
RoleBinding |
Ensure that default service accounts are not actively used |
Kubernetes |
494 |
CKV_K8S_42 |
PodSecurityPolicy |
ClusterRoleBinding |
Ensure that default service accounts are not actively used |
Kubernetes |
495 |
CKV_K8S_43 |
PodSecurityPolicy |
containers |
Image should use digest |
Kubernetes |
496 |
CKV_K8S_43 |
PodSecurityPolicy |
initContainers |
Image should use digest |
Kubernetes |
497 |
CKV_K8S_44 |
PodSecurityPolicy |
Service |
Ensure that the Tiller Service (Helm v2) is deleted |
Kubernetes |
498 |
CKV_K8S_45 |
PodSecurityPolicy |
containers |
Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster |
Kubernetes |
499 |
CKV_K8S_45 |
PodSecurityPolicy |
initContainers |
Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster |
Kubernetes |