0 |
CKV2_ADO_1 |
resource |
azuredevops_branch_policy_min_reviewers |
Ensure at least two approving reviews for PRs |
Terraform |
ADORepositoryHasMinTwoReviewers.yaml |
1 |
CKV2_ADO_1 |
resource |
azuredevops_git_repository |
Ensure at least two approving reviews for PRs |
Terraform |
ADORepositoryHasMinTwoReviewers.yaml |
2 |
CKV_ALI_1 |
resource |
alicloud_oss_bucket |
Alibaba Cloud OSS bucket accessible to public |
Terraform |
OSSBucketPublic.py |
3 |
CKV_ALI_2 |
resource |
alicloud_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
SecurityGroupUnrestrictedIngress22.py |
4 |
CKV_ALI_3 |
resource |
alicloud_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
SecurityGroupUnrestrictedIngress3389.py |
5 |
CKV_ALI_4 |
resource |
alicloud_actiontrail_trail |
Ensure Action Trail Logging for all regions |
Terraform |
ActionTrailLogAllRegions.py |
6 |
CKV_ALI_5 |
resource |
alicloud_actiontrail_trail |
Ensure Action Trail Logging for all events |
Terraform |
ActionTrailLogAllEvents.py |
7 |
CKV_ALI_6 |
resource |
alicloud_oss_bucket |
Ensure OSS bucket is encrypted with Customer Master Key |
Terraform |
OSSBucketEncryptedWithCMK.py |
8 |
CKV_ALI_7 |
resource |
alicloud_disk |
Ensure disk is encrypted |
Terraform |
DiskIsEncrypted.py |
9 |
CKV_ALI_8 |
resource |
alicloud_disk |
Ensure Disk is encrypted with Customer Master Key |
Terraform |
DiskEncryptedWithCMK.py |
10 |
CKV_ALI_9 |
resource |
alicloud_db_instance |
Ensure database instance is not public |
Terraform |
RDSIsPublic.py |
11 |
CKV_ALI_10 |
resource |
alicloud_oss_bucket |
Ensure OSS bucket has versioning enabled |
Terraform |
OSSBucketVersioning.py |
12 |
CKV_ALI_11 |
resource |
alicloud_oss_bucket |
Ensure OSS bucket has transfer Acceleration enabled |
Terraform |
OSSBucketTransferAcceleration.py |
13 |
CKV_ALI_12 |
resource |
alicloud_oss_bucket |
Ensure the OSS bucket has access logging enabled |
Terraform |
OSSBucketAccessLogs.py |
14 |
CKV_ALI_13 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires minimum length of 14 or greater |
Terraform |
RAMPasswordPolicyLength.py |
15 |
CKV_ALI_14 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one number |
Terraform |
RAMPasswordPolicyNumber.py |
16 |
CKV_ALI_15 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one symbol |
Terraform |
RAMPasswordPolicySymbol.py |
17 |
CKV_ALI_16 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy expires passwords within 90 days or less |
Terraform |
RAMPasswordPolicyExpiration.py |
18 |
CKV_ALI_17 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one lowercase letter |
Terraform |
RAMPasswordPolicyLowercaseLetter.py |
19 |
CKV_ALI_18 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy prevents password reuse |
Terraform |
RAMPasswordPolicyReuse.py |
20 |
CKV_ALI_19 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one uppercase letter |
Terraform |
RAMPasswordPolicyUppcaseLetter.py |
21 |
CKV_ALI_20 |
resource |
alicloud_db_instance |
Ensure RDS instance uses SSL |
Terraform |
RDSInstanceSSL.py |
22 |
CKV_ALI_21 |
resource |
alicloud_api_gateway_api |
Ensure API Gateway API Protocol HTTPS |
Terraform |
APIGatewayProtocolHTTPS.py |
23 |
CKV_ALI_22 |
resource |
alicloud_db_instance |
Ensure Transparent Data Encryption is Enabled on instance |
Terraform |
RDSTransparentDataEncryptionEnabled.py |
24 |
CKV_ALI_23 |
resource |
alicloud_ram_account_password_policy |
Ensure Ram Account Password Policy Max Login Attempts not > 5 |
Terraform |
RAMPasswordPolicyMaxLogin.py |
25 |
CKV_ALI_24 |
resource |
alicloud_ram_security_preference |
Ensure RAM enforces MFA |
Terraform |
RAMSecurityEnforceMFA.py |
26 |
CKV_ALI_25 |
resource |
alicloud_db_instance |
Ensure RDS Instance SQL Collector Retention Period should be greater than 180 |
Terraform |
RDSRetention.py |
27 |
CKV_ALI_26 |
resource |
alicloud_cs_kubernetes |
Ensure Kubernetes installs plugin Terway or Flannel to support standard policies |
Terraform |
K8sEnableNetworkPolicies.py |
28 |
CKV_ALI_27 |
resource |
alicloud_kms_key |
Ensure KMS Key Rotation is enabled |
Terraform |
KMSKeyRotationIsEnabled.py |
29 |
CKV_ALI_28 |
resource |
alicloud_kms_key |
Ensure KMS Keys are enabled |
Terraform |
KMSKeyIsEnabled.py |
30 |
CKV_ALI_29 |
resource |
alicloud_alb_acl_entry_attachment |
Alibaba ALB ACL does not restrict Access |
Terraform |
ALBACLIsUnrestricted.py |
31 |
CKV_ALI_30 |
resource |
alicloud_db_instance |
Ensure RDS instance auto upgrades for minor versions |
Terraform |
RDSInstanceAutoUpgrade.py |
32 |
CKV_ALI_31 |
resource |
alicloud_cs_kubernetes_node_pool |
Ensure K8s nodepools are set to auto repair |
Terraform |
K8sNodePoolAutoRepair.py |
33 |
CKV_ALI_32 |
resource |
alicloud_ecs_launch_template |
Ensure launch template data disks are encrypted |
Terraform |
LaunchTemplateDisksAreEncrypted.py |
34 |
CKV_ALI_33 |
resource |
alicloud_slb_tls_cipher_policy |
Alibaba Cloud Cypher Policy are secure |
Terraform |
TLSPoliciesAreSecure.py |
35 |
CKV_ALI_35 |
resource |
alicloud_db_instance |
Ensure RDS instance has log_duration enabled |
Terraform |
RDSInstanceLogsEnabled.py |
36 |
CKV_ALI_36 |
resource |
alicloud_db_instance |
Ensure RDS instance has log_disconnections enabled |
Terraform |
RDSInstanceLogDisconnections.py |
37 |
CKV_ALI_37 |
resource |
alicloud_db_instance |
Ensure RDS instance has log_connections enabled |
Terraform |
RDSInstanceLogConnections.py |
38 |
CKV_ALI_38 |
resource |
alicloud_log_audit |
Ensure log audit is enabled for RDS |
Terraform |
LogAuditRDSEnabled.py |
39 |
CKV_ALI_41 |
resource |
alicloud_mongodb_instance |
Ensure MongoDB is deployed inside a VPC |
Terraform |
MongoDBInsideVPC.py |
40 |
CKV_ALI_42 |
resource |
alicloud_mongodb_instance |
Ensure Mongodb instance uses SSL |
Terraform |
MongoDBInstanceSSL.py |
41 |
CKV_ALI_43 |
resource |
alicloud_mongodb_instance |
Ensure MongoDB instance is not public |
Terraform |
MongoDBIsPublic.py |
42 |
CKV_ALI_44 |
resource |
alicloud_mongodb_instance |
Ensure MongoDB has Transparent Data Encryption Enabled |
Terraform |
MongoDBTransparentDataEncryptionEnabled.py |
43 |
CKV_ANSIBLE_1 |
resource |
[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
44 |
CKV_ANSIBLE_1 |
resource |
[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
45 |
CKV_ANSIBLE_1 |
resource |
[].block[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
46 |
CKV_ANSIBLE_1 |
resource |
[].block[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
47 |
CKV_ANSIBLE_1 |
resource |
[].block[].block[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
48 |
CKV_ANSIBLE_1 |
resource |
[].block[].block[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
49 |
CKV_ANSIBLE_1 |
resource |
[].block[].block[].block[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
50 |
CKV_ANSIBLE_1 |
resource |
[].block[].block[].block[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
51 |
CKV_ANSIBLE_1 |
resource |
[].tasks[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
52 |
CKV_ANSIBLE_1 |
resource |
[].tasks[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
53 |
CKV_ANSIBLE_1 |
resource |
[].tasks[].block[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
54 |
CKV_ANSIBLE_1 |
resource |
[].tasks[].block[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
55 |
CKV_ANSIBLE_1 |
resource |
[].tasks[].block[].block[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
56 |
CKV_ANSIBLE_1 |
resource |
[].tasks[].block[].block[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
57 |
CKV_ANSIBLE_1 |
resource |
[].tasks[].block[].block[].block[?”ansible.builtin.uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
58 |
CKV_ANSIBLE_1 |
resource |
[].tasks[].block[].block[].block[?”uri” != null][] |
Ensure that certificate validation isn’t disabled with uri |
Ansible |
UriValidateCerts.py |
59 |
CKV_ANSIBLE_2 |
resource |
[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
60 |
CKV_ANSIBLE_2 |
resource |
[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
61 |
CKV_ANSIBLE_2 |
resource |
[].block[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
62 |
CKV_ANSIBLE_2 |
resource |
[].block[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
63 |
CKV_ANSIBLE_2 |
resource |
[].block[].block[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
64 |
CKV_ANSIBLE_2 |
resource |
[].block[].block[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
65 |
CKV_ANSIBLE_2 |
resource |
[].block[].block[].block[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
66 |
CKV_ANSIBLE_2 |
resource |
[].block[].block[].block[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
67 |
CKV_ANSIBLE_2 |
resource |
[].tasks[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
68 |
CKV_ANSIBLE_2 |
resource |
[].tasks[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
69 |
CKV_ANSIBLE_2 |
resource |
[].tasks[].block[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
70 |
CKV_ANSIBLE_2 |
resource |
[].tasks[].block[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
71 |
CKV_ANSIBLE_2 |
resource |
[].tasks[].block[].block[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
72 |
CKV_ANSIBLE_2 |
resource |
[].tasks[].block[].block[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
73 |
CKV_ANSIBLE_2 |
resource |
[].tasks[].block[].block[].block[?”ansible.builtin.get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
74 |
CKV_ANSIBLE_2 |
resource |
[].tasks[].block[].block[].block[?”get_url” != null][] |
Ensure that certificate validation isn’t disabled with get_url |
Ansible |
GetUrlValidateCerts.py |
75 |
CKV_ANSIBLE_3 |
resource |
[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
76 |
CKV_ANSIBLE_3 |
resource |
[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
77 |
CKV_ANSIBLE_3 |
resource |
[].block[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
78 |
CKV_ANSIBLE_3 |
resource |
[].block[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
79 |
CKV_ANSIBLE_3 |
resource |
[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
80 |
CKV_ANSIBLE_3 |
resource |
[].block[].block[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
81 |
CKV_ANSIBLE_3 |
resource |
[].block[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
82 |
CKV_ANSIBLE_3 |
resource |
[].block[].block[].block[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
83 |
CKV_ANSIBLE_3 |
resource |
[].tasks[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
84 |
CKV_ANSIBLE_3 |
resource |
[].tasks[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
85 |
CKV_ANSIBLE_3 |
resource |
[].tasks[].block[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
86 |
CKV_ANSIBLE_3 |
resource |
[].tasks[].block[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
87 |
CKV_ANSIBLE_3 |
resource |
[].tasks[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
88 |
CKV_ANSIBLE_3 |
resource |
[].tasks[].block[].block[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
89 |
CKV_ANSIBLE_3 |
resource |
[].tasks[].block[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
90 |
CKV_ANSIBLE_3 |
resource |
[].tasks[].block[].block[].block[?”yum” != null][] |
Ensure that certificate validation isn’t disabled with yum |
Ansible |
YumValidateCerts.py |
91 |
CKV_ANSIBLE_4 |
resource |
[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
92 |
CKV_ANSIBLE_4 |
resource |
[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
93 |
CKV_ANSIBLE_4 |
resource |
[].block[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
94 |
CKV_ANSIBLE_4 |
resource |
[].block[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
95 |
CKV_ANSIBLE_4 |
resource |
[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
96 |
CKV_ANSIBLE_4 |
resource |
[].block[].block[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
97 |
CKV_ANSIBLE_4 |
resource |
[].block[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
98 |
CKV_ANSIBLE_4 |
resource |
[].block[].block[].block[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
99 |
CKV_ANSIBLE_4 |
resource |
[].tasks[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
100 |
CKV_ANSIBLE_4 |
resource |
[].tasks[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
101 |
CKV_ANSIBLE_4 |
resource |
[].tasks[].block[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
102 |
CKV_ANSIBLE_4 |
resource |
[].tasks[].block[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
103 |
CKV_ANSIBLE_4 |
resource |
[].tasks[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
104 |
CKV_ANSIBLE_4 |
resource |
[].tasks[].block[].block[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
105 |
CKV_ANSIBLE_4 |
resource |
[].tasks[].block[].block[].block[?”ansible.builtin.yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
106 |
CKV_ANSIBLE_4 |
resource |
[].tasks[].block[].block[].block[?”yum” != null][] |
Ensure that SSL validation isn’t disabled with yum |
Ansible |
YumSslVerify.py |
107 |
CKV_ANSIBLE_5 |
resource |
[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
108 |
CKV_ANSIBLE_5 |
resource |
[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
109 |
CKV_ANSIBLE_5 |
resource |
[].block[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
110 |
CKV_ANSIBLE_5 |
resource |
[].block[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
111 |
CKV_ANSIBLE_5 |
resource |
[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
112 |
CKV_ANSIBLE_5 |
resource |
[].block[].block[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
113 |
CKV_ANSIBLE_5 |
resource |
[].block[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
114 |
CKV_ANSIBLE_5 |
resource |
[].block[].block[].block[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
115 |
CKV_ANSIBLE_5 |
resource |
[].tasks[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
116 |
CKV_ANSIBLE_5 |
resource |
[].tasks[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
117 |
CKV_ANSIBLE_5 |
resource |
[].tasks[].block[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
118 |
CKV_ANSIBLE_5 |
resource |
[].tasks[].block[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
119 |
CKV_ANSIBLE_5 |
resource |
[].tasks[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
120 |
CKV_ANSIBLE_5 |
resource |
[].tasks[].block[].block[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
121 |
CKV_ANSIBLE_5 |
resource |
[].tasks[].block[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
122 |
CKV_ANSIBLE_5 |
resource |
[].tasks[].block[].block[].block[?”apt” != null][] |
Ensure that packages with untrusted or missing signatures are not used |
Ansible |
AptAllowUnauthenticated.py |
123 |
CKV_ANSIBLE_6 |
resource |
[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
124 |
CKV_ANSIBLE_6 |
resource |
[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
125 |
CKV_ANSIBLE_6 |
resource |
[].block[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
126 |
CKV_ANSIBLE_6 |
resource |
[].block[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
127 |
CKV_ANSIBLE_6 |
resource |
[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
128 |
CKV_ANSIBLE_6 |
resource |
[].block[].block[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
129 |
CKV_ANSIBLE_6 |
resource |
[].block[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
130 |
CKV_ANSIBLE_6 |
resource |
[].block[].block[].block[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
131 |
CKV_ANSIBLE_6 |
resource |
[].tasks[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
132 |
CKV_ANSIBLE_6 |
resource |
[].tasks[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
133 |
CKV_ANSIBLE_6 |
resource |
[].tasks[].block[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
134 |
CKV_ANSIBLE_6 |
resource |
[].tasks[].block[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
135 |
CKV_ANSIBLE_6 |
resource |
[].tasks[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
136 |
CKV_ANSIBLE_6 |
resource |
[].tasks[].block[].block[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
137 |
CKV_ANSIBLE_6 |
resource |
[].tasks[].block[].block[].block[?”ansible.builtin.apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
138 |
CKV_ANSIBLE_6 |
resource |
[].tasks[].block[].block[].block[?”apt” != null][] |
Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state |
Ansible |
AptForce.py |
139 |
CKV2_ANSIBLE_1 |
resource |
tasks.ansible.builtin.uri |
Ensure that HTTPS url is used with uri |
Ansible |
UriHttpsOnly.yaml |
140 |
CKV2_ANSIBLE_1 |
resource |
tasks.uri |
Ensure that HTTPS url is used with uri |
Ansible |
UriHttpsOnly.yaml |
141 |
CKV2_ANSIBLE_2 |
resource |
tasks.ansible.builtin.get_url |
Ensure that HTTPS url is used with get_url |
Ansible |
GetUrlHttpsOnly.yaml |
142 |
CKV2_ANSIBLE_2 |
resource |
tasks.get_url |
Ensure that HTTPS url is used with get_url |
Ansible |
GetUrlHttpsOnly.yaml |
143 |
CKV2_ANSIBLE_3 |
resource |
block |
Ensure block is handling task errors properly |
Ansible |
BlockErrorHandling.yaml |
144 |
CKV2_ANSIBLE_4 |
resource |
tasks.ansible.builtin.dnf |
Ensure that packages with untrusted or missing GPG signatures are not used by dnf |
Ansible |
DnfDisableGpgCheck.yaml |
145 |
CKV2_ANSIBLE_4 |
resource |
tasks.dnf |
Ensure that packages with untrusted or missing GPG signatures are not used by dnf |
Ansible |
DnfDisableGpgCheck.yaml |
146 |
CKV2_ANSIBLE_5 |
resource |
tasks.ansible.builtin.dnf |
Ensure that SSL validation isn’t disabled with dnf |
Ansible |
DnfSslVerify.yaml |
147 |
CKV2_ANSIBLE_5 |
resource |
tasks.dnf |
Ensure that SSL validation isn’t disabled with dnf |
Ansible |
DnfSslVerify.yaml |
148 |
CKV2_ANSIBLE_6 |
resource |
tasks.ansible.builtin.dnf |
Ensure that certificate validation isn’t disabled with dnf |
Ansible |
DnfValidateCerts.yaml |
149 |
CKV2_ANSIBLE_6 |
resource |
tasks.dnf |
Ensure that certificate validation isn’t disabled with dnf |
Ansible |
DnfValidateCerts.yaml |
150 |
CKV_ARGO_1 |
argo_workflows |
spec |
Ensure Workflow pods are not using the default ServiceAccount |
Argo Workflows |
DefaultServiceAccount.py |
151 |
CKV_ARGO_2 |
argo_workflows |
spec |
Ensure Workflow pods are running as non-root user |
Argo Workflows |
RunAsNonRoot.py |
152 |
CKV_AWS_1 |
data |
aws_iam_policy_document |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
AdminPolicyDocument.py |
153 |
CKV_AWS_1 |
resource |
serverless_aws |
Ensure IAM policies that allow full “-” administrative privileges are not created |
serverless |
AdminPolicyDocument.py |
154 |
CKV_AWS_2 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure ALB protocol is HTTPS |
Cloudformation |
ALBListenerHTTPS.py |
155 |
CKV_AWS_2 |
resource |
aws_alb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
ALBListenerHTTPS.py |
156 |
CKV_AWS_2 |
resource |
aws_lb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
ALBListenerHTTPS.py |
157 |
CKV_AWS_3 |
resource |
AWS::EC2::Volume |
Ensure all data stored in the EBS is securely encrypted |
Cloudformation |
EBSEncryption.py |
158 |
CKV_AWS_3 |
resource |
aws_ebs_volume |
Ensure all data stored in the EBS is securely encrypted |
Terraform |
EBSEncryption.py |
159 |
CKV_AWS_5 |
resource |
AWS::Elasticsearch::Domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Cloudformation |
ElasticsearchEncryption.py |
160 |
CKV_AWS_5 |
resource |
aws_elasticsearch_domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Terraform |
ElasticsearchEncryption.py |
161 |
CKV_AWS_5 |
resource |
aws_opensearch_domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Terraform |
ElasticsearchEncryption.py |
162 |
CKV_AWS_6 |
resource |
AWS::Elasticsearch::Domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Cloudformation |
ElasticsearchNodeToNodeEncryption.py |
163 |
CKV_AWS_6 |
resource |
aws_elasticsearch_domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Terraform |
ElasticsearchNodeToNodeEncryption.py |
164 |
CKV_AWS_6 |
resource |
aws_opensearch_domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Terraform |
ElasticsearchNodeToNodeEncryption.py |
165 |
CKV_AWS_7 |
resource |
AWS::KMS::Key |
Ensure rotation for customer created CMKs is enabled |
Cloudformation |
KMSRotation.py |
166 |
CKV_AWS_7 |
resource |
aws_kms_key |
Ensure rotation for customer created CMKs is enabled |
Terraform |
KMSRotation.py |
167 |
CKV_AWS_8 |
resource |
AWS::AutoScaling::LaunchConfiguration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Cloudformation |
LaunchConfigurationEBSEncryption.py |
168 |
CKV_AWS_8 |
resource |
aws_instance |
Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted |
Terraform |
LaunchConfigurationEBSEncryption.py |
169 |
CKV_AWS_8 |
resource |
aws_launch_configuration |
Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted |
Terraform |
LaunchConfigurationEBSEncryption.py |
170 |
CKV_AWS_9 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy expires passwords within 90 days or less |
Terraform |
PasswordPolicyExpiration.py |
171 |
CKV_AWS_10 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires minimum length of 14 or greater |
Terraform |
PasswordPolicyLength.py |
172 |
CKV_AWS_11 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one lowercase letter |
Terraform |
PasswordPolicyLowercaseLetter.py |
173 |
CKV_AWS_12 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one number |
Terraform |
PasswordPolicyNumber.py |
174 |
CKV_AWS_13 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy prevents password reuse |
Terraform |
PasswordPolicyReuse.py |
175 |
CKV_AWS_14 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one symbol |
Terraform |
PasswordPolicySymbol.py |
176 |
CKV_AWS_15 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one uppercase letter |
Terraform |
PasswordPolicyUppercaseLetter.py |
177 |
CKV_AWS_16 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS is securely encrypted at rest |
Cloudformation |
RDSEncryption.py |
178 |
CKV_AWS_16 |
resource |
aws_db_instance |
Ensure all data stored in the RDS is securely encrypted at rest |
Terraform |
RDSEncryption.py |
179 |
CKV_AWS_17 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in RDS is not publicly accessible |
Cloudformation |
RDSPubliclyAccessible.py |
180 |
CKV_AWS_17 |
resource |
aws_db_instance |
Ensure all data stored in RDS is not publicly accessible |
Terraform |
RDSPubliclyAccessible.py |
181 |
CKV_AWS_17 |
resource |
aws_rds_cluster_instance |
Ensure all data stored in RDS is not publicly accessible |
Terraform |
RDSPubliclyAccessible.py |
182 |
CKV_AWS_18 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has access logging enabled |
Cloudformation |
S3AccessLogs.py |
183 |
CKV_AWS_18 |
resource |
aws_s3_bucket |
Ensure the S3 bucket has access logging enabled |
Terraform |
S3BucketLogging.yaml |
184 |
CKV_AWS_19 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has server-side-encryption enabled |
Cloudformation |
S3Encryption.py |
185 |
CKV_AWS_19 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
Terraform |
S3BucketEncryption.yaml |
186 |
CKV_AWS_19 |
resource |
aws_s3_bucket_server_side_encryption_configuration |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
Terraform |
S3BucketEncryption.yaml |
187 |
CKV_AWS_20 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow READ permissions to everyone |
Cloudformation |
S3PublicACLRead.py |
188 |
CKV_AWS_20 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public READ access. |
Terraform |
S3PublicACLRead.yaml |
189 |
CKV_AWS_20 |
resource |
aws_s3_bucket_acl |
S3 Bucket has an ACL defined which allows public READ access. |
Terraform |
S3PublicACLRead.yaml |
190 |
CKV_AWS_21 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has versioning enabled |
Cloudformation |
S3Versioning.py |
191 |
CKV_AWS_21 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket have versioning enabled |
Terraform |
S3BucketVersioning.yaml |
192 |
CKV_AWS_21 |
resource |
aws_s3_bucket_versioning |
Ensure all data stored in the S3 bucket have versioning enabled |
Terraform |
S3BucketVersioning.yaml |
193 |
CKV_AWS_22 |
resource |
aws_sagemaker_notebook_instance |
Ensure SageMaker Notebook is encrypted at rest using KMS CMK |
Terraform |
SagemakerNotebookEncryption.py |
194 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroup |
Ensure every security groups rule has a description |
Cloudformation |
SecurityGroupRuleDescription.py |
195 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupEgress |
Ensure every security groups rule has a description |
Cloudformation |
SecurityGroupRuleDescription.py |
196 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure every security groups rule has a description |
Cloudformation |
SecurityGroupRuleDescription.py |
197 |
CKV_AWS_23 |
resource |
aws_db_security_group |
Ensure every security group and rule has a description |
Terraform |
SecurityGroupRuleDescription.py |
198 |
CKV_AWS_23 |
resource |
aws_elasticache_security_group |
Ensure every security group and rule has a description |
Terraform |
SecurityGroupRuleDescription.py |
199 |
CKV_AWS_23 |
resource |
aws_redshift_security_group |
Ensure every security group and rule has a description |
Terraform |
SecurityGroupRuleDescription.py |
200 |
CKV_AWS_23 |
resource |
aws_security_group |
Ensure every security group and rule has a description |
Terraform |
SecurityGroupRuleDescription.py |
201 |
CKV_AWS_23 |
resource |
aws_security_group_rule |
Ensure every security group and rule has a description |
Terraform |
SecurityGroupRuleDescription.py |
202 |
CKV_AWS_23 |
resource |
aws_vpc_security_group_egress_rule |
Ensure every security group and rule has a description |
Terraform |
SecurityGroupRuleDescription.py |
203 |
CKV_AWS_23 |
resource |
aws_vpc_security_group_ingress_rule |
Ensure every security group and rule has a description |
Terraform |
SecurityGroupRuleDescription.py |
204 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
SecurityGroupUnrestrictedIngress22.py |
205 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
SecurityGroupUnrestrictedIngress22.py |
206 |
CKV_AWS_24 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
SecurityGroupUnrestrictedIngress22.py |
207 |
CKV_AWS_24 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
SecurityGroupUnrestrictedIngress22.py |
208 |
CKV_AWS_24 |
resource |
aws_vpc_security_group_ingress_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
SecurityGroupUnrestrictedIngress22.py |
209 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
SecurityGroupUnrestrictedIngress3389.py |
210 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
SecurityGroupUnrestrictedIngress3389.py |
211 |
CKV_AWS_25 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
SecurityGroupUnrestrictedIngress3389.py |
212 |
CKV_AWS_25 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
SecurityGroupUnrestrictedIngress3389.py |
213 |
CKV_AWS_25 |
resource |
aws_vpc_security_group_ingress_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
SecurityGroupUnrestrictedIngress3389.py |
214 |
CKV_AWS_26 |
resource |
AWS::SNS::Topic |
Ensure all data stored in the SNS topic is encrypted |
Cloudformation |
SNSTopicEncryption.py |
215 |
CKV_AWS_26 |
resource |
aws_sns_topic |
Ensure all data stored in the SNS topic is encrypted |
Terraform |
SNSTopicEncryption.py |
216 |
CKV_AWS_27 |
resource |
AWS::SQS::Queue |
Ensure all data stored in the SQS queue is encrypted |
Cloudformation |
SQSQueueEncryption.py |
217 |
CKV_AWS_27 |
resource |
aws_sqs_queue |
Ensure all data stored in the SQS queue is encrypted |
Terraform |
SQSQueueEncryption.py |
218 |
CKV_AWS_28 |
resource |
AWS::DynamoDB::Table |
Ensure DynamoDB point in time recovery (backup) is enabled |
Cloudformation |
DynamodbRecovery.py |
219 |
CKV_AWS_28 |
resource |
aws_dynamodb_table |
Ensure DynamoDB point in time recovery (backup) is enabled |
Terraform |
DynamodbRecovery.py |
220 |
CKV_AWS_29 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest |
Cloudformation |
ElasticacheReplicationGroupEncryptionAtRest.py |
221 |
CKV_AWS_29 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest |
Terraform |
ElasticacheReplicationGroupEncryptionAtRest.py |
222 |
CKV_AWS_30 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit |
Cloudformation |
ElasticacheReplicationGroupEncryptionAtTransit.py |
223 |
CKV_AWS_30 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit |
Terraform |
ElasticacheReplicationGroupEncryptionAtTransit.py |
224 |
CKV_AWS_31 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token |
Cloudformation |
ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py |
225 |
CKV_AWS_31 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token |
Terraform |
ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py |
226 |
CKV_AWS_32 |
resource |
AWS::ECR::Repository |
Ensure ECR policy is not set to public |
Cloudformation |
ECRPolicy.py |
227 |
CKV_AWS_32 |
resource |
aws_ecr_repository_policy |
Ensure ECR policy is not set to public |
Terraform |
ECRPolicy.py |
228 |
CKV_AWS_33 |
resource |
AWS::KMS::Key |
Ensure KMS key policy does not contain wildcard (*) principal |
Cloudformation |
KMSKeyWildCardPrincipal.py |
229 |
CKV_AWS_33 |
resource |
aws_kms_key |
Ensure KMS key policy does not contain wildcard (*) principal |
Terraform |
KMSKeyWildcardPrincipal.py |
230 |
CKV_AWS_34 |
resource |
AWS::CloudFront::Distribution |
Ensure CloudFront Distribution ViewerProtocolPolicy is set to HTTPS |
Cloudformation |
CloudfrontDistributionEncryption.py |
231 |
CKV_AWS_34 |
resource |
aws_cloudfront_distribution |
Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS |
Terraform |
CloudfrontDistributionEncryption.py |
232 |
CKV_AWS_35 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Cloudformation |
CloudtrailEncryption.py |
233 |
CKV_AWS_35 |
resource |
aws_cloudtrail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Terraform |
CloudtrailEncryptionWithCMK.py |
234 |
CKV_AWS_36 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail log file validation is enabled |
Cloudformation |
CloudtrailLogValidation.py |
235 |
CKV_AWS_36 |
resource |
aws_cloudtrail |
Ensure CloudTrail log file validation is enabled |
Terraform |
CloudtrailLogValidation.py |
236 |
CKV_AWS_37 |
resource |
aws_eks_cluster |
Ensure Amazon EKS control plane logging is enabled for all log types |
Terraform |
EKSControlPlaneLogging.py |
237 |
CKV_AWS_38 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 |
Terraform |
EKSPublicAccessCIDR.py |
238 |
CKV_AWS_39 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint disabled |
Terraform |
EKSPublicAccess.py |
239 |
CKV_AWS_40 |
resource |
AWS::IAM::Policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Cloudformation |
IAMPolicyAttachedToGroupOrRoles.py |
240 |
CKV_AWS_40 |
resource |
aws_iam_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
IAMPolicyAttachedToGroupOrRoles.py |
241 |
CKV_AWS_40 |
resource |
aws_iam_user_policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
IAMPolicyAttachedToGroupOrRoles.py |
242 |
CKV_AWS_40 |
resource |
aws_iam_user_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
IAMPolicyAttachedToGroupOrRoles.py |
243 |
CKV_AWS_41 |
provider |
aws |
Ensure no hard coded AWS access key and secret key exists in provider |
Terraform |
credentials.py |
244 |
CKV_AWS_41 |
resource |
serverless_aws |
Ensure no hard coded AWS access key and secret key exists in provider |
serverless |
AWSCredentials.py |
245 |
CKV_AWS_42 |
resource |
AWS::EFS::FileSystem |
Ensure EFS is securely encrypted |
Cloudformation |
EFSEncryptionEnabled.py |
246 |
CKV_AWS_42 |
resource |
aws_efs_file_system |
Ensure EFS is securely encrypted |
Terraform |
EFSEncryptionEnabled.py |
247 |
CKV_AWS_43 |
resource |
AWS::Kinesis::Stream |
Ensure Kinesis Stream is securely encrypted |
Cloudformation |
KinesisStreamEncryptionType.py |
248 |
CKV_AWS_43 |
resource |
aws_kinesis_stream |
Ensure Kinesis Stream is securely encrypted |
Terraform |
KinesisStreamEncryptionType.py |
249 |
CKV_AWS_44 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune storage is securely encrypted |
Cloudformation |
NeptuneClusterStorageEncrypted.py |
250 |
CKV_AWS_44 |
resource |
aws_neptune_cluster |
Ensure Neptune storage is securely encrypted |
Terraform |
NeptuneClusterStorageEncrypted.py |
251 |
CKV_AWS_45 |
resource |
AWS::Lambda::Function |
Ensure no hard-coded secrets exist in Lambda environment |
Cloudformation |
LambdaEnvironmentCredentials.py |
252 |
CKV_AWS_45 |
resource |
AWS::Serverless::Function |
Ensure no hard-coded secrets exist in Lambda environment |
Cloudformation |
LambdaEnvironmentCredentials.py |
253 |
CKV_AWS_45 |
resource |
aws_lambda_function |
Ensure no hard-coded secrets exist in lambda environment |
Terraform |
LambdaEnvironmentCredentials.py |
254 |
CKV_AWS_46 |
resource |
AWS::EC2::Instance |
Ensure no hard-coded secrets exist in EC2 user data |
Cloudformation |
EC2Credentials.py |
255 |
CKV_AWS_46 |
resource |
aws_instance |
Ensure no hard-coded secrets exist in EC2 user data |
Terraform |
EC2Credentials.py |
256 |
CKV_AWS_46 |
resource |
aws_launch_configuration |
Ensure no hard-coded secrets exist in EC2 user data |
Terraform |
EC2Credentials.py |
257 |
CKV_AWS_46 |
resource |
aws_launch_template |
Ensure no hard-coded secrets exist in EC2 user data |
Terraform |
EC2Credentials.py |
258 |
CKV_AWS_47 |
resource |
AWS::DAX::Cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Cloudformation |
DAXEncryption.py |
259 |
CKV_AWS_47 |
resource |
aws_dax_cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Terraform |
DAXEncryption.py |
260 |
CKV_AWS_48 |
resource |
aws_mq_broker |
Ensure MQ Broker logging is enabled |
Terraform |
MQBrokerLogging.py |
261 |
CKV_AWS_49 |
data |
aws_iam_policy_document |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
StarActionPolicyDocument.py |
262 |
CKV_AWS_49 |
resource |
serverless_aws |
Ensure no IAM policies documents allow “*” as a statement’s actions |
serverless |
StarActionPolicyDocument.py |
263 |
CKV_AWS_50 |
resource |
aws_lambda_function |
X-Ray tracing is enabled for Lambda |
Terraform |
LambdaXrayEnabled.py |
264 |
CKV_AWS_51 |
resource |
AWS::ECR::Repository |
Ensure ECR Image Tags are immutable |
Cloudformation |
ECRImmutableTags.py |
265 |
CKV_AWS_51 |
resource |
aws_ecr_repository |
Ensure ECR Image Tags are immutable |
Terraform |
ECRImmutableTags.py |
266 |
CKV_AWS_53 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public ACLs enabled |
Cloudformation |
S3BlockPublicACLs.py |
267 |
CKV_AWS_53 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public ACLS enabled |
Terraform |
S3BlockPublicACLs.py |
268 |
CKV_AWS_54 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public policy enabled |
Cloudformation |
S3BlockPublicPolicy.py |
269 |
CKV_AWS_54 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public policy enabled |
Terraform |
S3BlockPublicPolicy.py |
270 |
CKV_AWS_55 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ignore public ACLs enabled |
Cloudformation |
S3IgnorePublicACLs.py |
271 |
CKV_AWS_55 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ignore public ACLs enabled |
Terraform |
S3IgnorePublicACLs.py |
272 |
CKV_AWS_56 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has RestrictPublicBuckets enabled |
Cloudformation |
S3RestrictPublicBuckets.py |
273 |
CKV_AWS_56 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ‘restrict_public_buckets’ enabled |
Terraform |
S3RestrictPublicBuckets.py |
274 |
CKV_AWS_57 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow WRITE permissions to everyone |
Cloudformation |
S3PublicACLWrite.py |
275 |
CKV_AWS_57 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public WRITE access. |
Terraform |
S3PublicACLWrite.yaml |
276 |
CKV_AWS_57 |
resource |
aws_s3_bucket_acl |
S3 Bucket has an ACL defined which allows public WRITE access. |
Terraform |
S3PublicACLWrite.yaml |
277 |
CKV_AWS_58 |
resource |
AWS::EKS::Cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Cloudformation |
EKSSecretsEncryption.py |
278 |
CKV_AWS_58 |
resource |
aws_eks_cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Terraform |
EKSSecretsEncryption.py |
279 |
CKV_AWS_59 |
resource |
AWS::ApiGateway::Method |
Ensure there is no open access to back-end resources through API |
Cloudformation |
APIGatewayAuthorization.py |
280 |
CKV_AWS_59 |
resource |
aws_api_gateway_method |
Ensure there is no open access to back-end resources through API |
Terraform |
APIGatewayAuthorization.py |
281 |
CKV_AWS_60 |
resource |
AWS::IAM::Role |
Ensure IAM role allows only specific services or principals to assume it |
Cloudformation |
IAMRoleAllowsPublicAssume.py |
282 |
CKV_AWS_60 |
resource |
aws_iam_role |
Ensure IAM role allows only specific services or principals to assume it |
Terraform |
IAMRoleAllowsPublicAssume.py |
283 |
CKV_AWS_61 |
resource |
AWS::IAM::Role |
Ensure AWS IAM policy does not allow assume role permission across all services |
Cloudformation |
IAMRoleAllowAssumeFromAccount.py |
284 |
CKV_AWS_61 |
resource |
aws_iam_role |
Ensure AWS IAM policy does not allow assume role permission across all services |
Terraform |
IAMRoleAllowAssumeFromAccount.py |
285 |
CKV_AWS_62 |
resource |
AWS::IAM::Group |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
286 |
CKV_AWS_62 |
resource |
AWS::IAM::Policy |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
287 |
CKV_AWS_62 |
resource |
AWS::IAM::Role |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
288 |
CKV_AWS_62 |
resource |
AWS::IAM::User |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
289 |
CKV_AWS_62 |
resource |
aws_iam_group_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
IAMAdminPolicyDocument.py |
290 |
CKV_AWS_62 |
resource |
aws_iam_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
IAMAdminPolicyDocument.py |
291 |
CKV_AWS_62 |
resource |
aws_iam_role_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
IAMAdminPolicyDocument.py |
292 |
CKV_AWS_62 |
resource |
aws_iam_user_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
IAMAdminPolicyDocument.py |
293 |
CKV_AWS_62 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
IAMAdminPolicyDocument.py |
294 |
CKV_AWS_63 |
resource |
AWS::IAM::Group |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
295 |
CKV_AWS_63 |
resource |
AWS::IAM::Policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
296 |
CKV_AWS_63 |
resource |
AWS::IAM::Role |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
297 |
CKV_AWS_63 |
resource |
AWS::IAM::User |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
298 |
CKV_AWS_63 |
resource |
aws_iam_group_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
IAMStarActionPolicyDocument.py |
299 |
CKV_AWS_63 |
resource |
aws_iam_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
IAMStarActionPolicyDocument.py |
300 |
CKV_AWS_63 |
resource |
aws_iam_role_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
IAMStarActionPolicyDocument.py |
301 |
CKV_AWS_63 |
resource |
aws_iam_user_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
IAMStarActionPolicyDocument.py |
302 |
CKV_AWS_63 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
IAMStarActionPolicyDocument.py |
303 |
CKV_AWS_64 |
resource |
AWS::Redshift::Cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Cloudformation |
RedshiftClusterEncryption.py |
304 |
CKV_AWS_64 |
resource |
aws_redshift_cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Terraform |
RedshiftClusterEncryption.py |
305 |
CKV_AWS_65 |
resource |
AWS::ECS::Cluster |
Ensure container insights are enabled on ECS cluster |
Cloudformation |
ECSClusterContainerInsights.py |
306 |
CKV_AWS_65 |
resource |
aws_ecs_cluster |
Ensure container insights are enabled on ECS cluster |
Terraform |
ECSClusterContainerInsights.py |
307 |
CKV_AWS_66 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group specifies retention days |
Cloudformation |
CloudWatchLogGroupRetention.py |
308 |
CKV_AWS_66 |
resource |
aws_cloudwatch_log_group |
Ensure that CloudWatch Log Group specifies retention days |
Terraform |
CloudWatchLogGroupRetention.py |
309 |
CKV_AWS_67 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail is enabled in all Regions |
Cloudformation |
CloudtrailMultiRegion.py |
310 |
CKV_AWS_67 |
resource |
aws_cloudtrail |
Ensure CloudTrail is enabled in all Regions |
Terraform |
CloudtrailMultiRegion.py |
311 |
CKV_AWS_68 |
resource |
AWS::CloudFront::Distribution |
CloudFront Distribution should have WAF enabled |
Cloudformation |
WAFEnabled.py |
312 |
CKV_AWS_68 |
resource |
aws_cloudfront_distribution |
CloudFront Distribution should have WAF enabled |
Terraform |
WAFEnabled.py |
313 |
CKV_AWS_69 |
resource |
AWS::AmazonMQ::Broker |
Ensure Amazon MQ Broker should not have public access |
Cloudformation |
AmazonMQBrokerPublicAccess.py |
314 |
CKV_AWS_69 |
resource |
aws_mq_broker |
Ensure MQ Broker is not publicly exposed |
Terraform |
MQBrokerNotPubliclyExposed.py |
315 |
CKV_AWS_70 |
resource |
aws_s3_bucket |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
S3AllowsAnyPrincipal.py |
316 |
CKV_AWS_70 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
S3AllowsAnyPrincipal.py |
317 |
CKV_AWS_71 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift Cluster logging is enabled |
Cloudformation |
RedshiftClusterLogging.py |
318 |
CKV_AWS_71 |
resource |
aws_redshift_cluster |
Ensure Redshift Cluster logging is enabled |
Terraform |
RedshiftClusterLogging.py |
319 |
CKV_AWS_72 |
resource |
aws_sqs_queue_policy |
Ensure SQS policy does not allow ALL (*) actions. |
Terraform |
SQSPolicy.py |
320 |
CKV_AWS_73 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
APIGatewayXray.py |
321 |
CKV_AWS_73 |
resource |
AWS::Serverless::Api |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
APIGatewayXray.py |
322 |
CKV_AWS_73 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has X-Ray Tracing enabled |
Terraform |
APIGatewayXray.py |
323 |
CKV_AWS_74 |
resource |
AWS::DocDB::DBCluster |
Ensure DocumentDB is encrypted at rest (default is unencrypted) |
Cloudformation |
DocDBEncryption.py |
324 |
CKV_AWS_74 |
resource |
aws_docdb_cluster |
Ensure DocumentDB is encrypted at rest (default is unencrypted) |
Terraform |
DocDBEncryption.py |
325 |
CKV_AWS_75 |
resource |
aws_globalaccelerator_accelerator |
Ensure Global Accelerator accelerator has flow logs enabled |
Terraform |
GlobalAcceleratorAcceleratorFlowLogs.py |
326 |
CKV_AWS_76 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
APIGatewayAccessLogging.py |
327 |
CKV_AWS_76 |
resource |
AWS::Serverless::Api |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
APIGatewayAccessLogging.py |
328 |
CKV_AWS_76 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
APIGatewayAccessLogging.py |
329 |
CKV_AWS_76 |
resource |
aws_apigatewayv2_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
APIGatewayAccessLogging.py |
330 |
CKV_AWS_77 |
resource |
aws_athena_database |
Ensure Athena Database is encrypted at rest (default is unencrypted) |
Terraform |
AthenaDatabaseEncryption.py |
331 |
CKV_AWS_78 |
resource |
AWS::CodeBuild::Project |
Ensure that CodeBuild Project encryption is not disabled |
Cloudformation |
CodeBuildProjectEncryption.py |
332 |
CKV_AWS_78 |
resource |
aws_codebuild_project |
Ensure that CodeBuild Project encryption is not disabled |
Terraform |
CodeBuildProjectEncryption.py |
333 |
CKV_AWS_79 |
resource |
AWS::EC2::LaunchTemplate |
Ensure Instance Metadata Service Version 1 is not enabled |
Cloudformation |
IMDSv1Disabled.py |
334 |
CKV_AWS_79 |
resource |
aws_instance |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
IMDSv1Disabled.py |
335 |
CKV_AWS_79 |
resource |
aws_launch_configuration |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
IMDSv1Disabled.py |
336 |
CKV_AWS_79 |
resource |
aws_launch_template |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
IMDSv1Disabled.py |
337 |
CKV_AWS_80 |
resource |
AWS::MSK::Cluster |
Ensure MSK Cluster logging is enabled |
Cloudformation |
MSKClusterLogging.py |
338 |
CKV_AWS_80 |
resource |
aws_msk_cluster |
Ensure MSK Cluster logging is enabled |
Terraform |
MSKClusterLogging.py |
339 |
CKV_AWS_81 |
resource |
AWS::MSK::Cluster |
Ensure MSK Cluster encryption in rest and transit is enabled |
Cloudformation |
MSKClusterEncryption.py |
340 |
CKV_AWS_81 |
resource |
aws_msk_cluster |
Ensure MSK Cluster encryption in rest and transit is enabled |
Terraform |
MSKClusterEncryption.py |
341 |
CKV_AWS_82 |
resource |
AWS::Athena::WorkGroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Cloudformation |
AthenaWorkgroupConfiguration.py |
342 |
CKV_AWS_82 |
resource |
aws_athena_workgroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Terraform |
AthenaWorkgroupConfiguration.py |
343 |
CKV_AWS_83 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain enforces HTTPS |
Cloudformation |
ElasticsearchDomainEnforceHTTPS.py |
344 |
CKV_AWS_83 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain enforces HTTPS |
Terraform |
ElasticsearchDomainEnforceHTTPS.py |
345 |
CKV_AWS_83 |
resource |
aws_opensearch_domain |
Ensure Elasticsearch Domain enforces HTTPS |
Terraform |
ElasticsearchDomainEnforceHTTPS.py |
346 |
CKV_AWS_84 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain Logging is enabled |
Cloudformation |
ElasticsearchDomainLogging.py |
347 |
CKV_AWS_84 |
resource |
AWS::OpenSearchService::Domain |
Ensure Elasticsearch Domain Logging is enabled |
Cloudformation |
ElasticsearchDomainLogging.py |
348 |
CKV_AWS_84 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain Logging is enabled |
Terraform |
ElasticsearchDomainLogging.py |
349 |
CKV_AWS_84 |
resource |
aws_opensearch_domain |
Ensure Elasticsearch Domain Logging is enabled |
Terraform |
ElasticsearchDomainLogging.py |
350 |
CKV_AWS_85 |
resource |
AWS::DocDB::DBCluster |
Ensure DocumentDB Logging is enabled |
Cloudformation |
DocDBLogging.py |
351 |
CKV_AWS_85 |
resource |
aws_docdb_cluster |
Ensure DocumentDB Logging is enabled |
Terraform |
DocDBLogging.py |
352 |
CKV_AWS_86 |
resource |
AWS::CloudFront::Distribution |
Ensure CloudFront Distribution has Access Logging enabled |
Cloudformation |
CloudfrontDistributionLogging.py |
353 |
CKV_AWS_86 |
resource |
aws_cloudfront_distribution |
Ensure CloudFront distribution has Access Logging enabled |
Terraform |
CloudfrontDistributionLogging.py |
354 |
CKV_AWS_87 |
resource |
AWS::Redshift::Cluster |
Redshift cluster should not be publicly accessible |
Cloudformation |
RedshiftClusterPubliclyAccessible.py |
355 |
CKV_AWS_87 |
resource |
aws_redshift_cluster |
Redshift cluster should not be publicly accessible |
Terraform |
RedshitClusterPubliclyAvailable.py |
356 |
CKV_AWS_88 |
resource |
AWS::EC2::Instance |
EC2 instance should not have public IP. |
Cloudformation |
EC2PublicIP.py |
357 |
CKV_AWS_88 |
resource |
AWS::EC2::LaunchTemplate |
EC2 instance should not have public IP. |
Cloudformation |
EC2PublicIP.py |
358 |
CKV_AWS_88 |
resource |
[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
359 |
CKV_AWS_88 |
resource |
[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
360 |
CKV_AWS_88 |
resource |
[].block[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
361 |
CKV_AWS_88 |
resource |
[].block[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
362 |
CKV_AWS_88 |
resource |
[].block[].block[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
363 |
CKV_AWS_88 |
resource |
[].block[].block[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
364 |
CKV_AWS_88 |
resource |
[].block[].block[].block[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
365 |
CKV_AWS_88 |
resource |
[].block[].block[].block[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
366 |
CKV_AWS_88 |
resource |
[].tasks[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
367 |
CKV_AWS_88 |
resource |
[].tasks[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
368 |
CKV_AWS_88 |
resource |
[].tasks[].block[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
369 |
CKV_AWS_88 |
resource |
[].tasks[].block[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
370 |
CKV_AWS_88 |
resource |
[].tasks[].block[].block[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
371 |
CKV_AWS_88 |
resource |
[].tasks[].block[].block[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
372 |
CKV_AWS_88 |
resource |
[].tasks[].block[].block[].block[?”amazon.aws.ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
373 |
CKV_AWS_88 |
resource |
[].tasks[].block[].block[].block[?”ec2_instance” != null][] |
EC2 instance should not have public IP. |
Ansible |
EC2PublicIP.py |
374 |
CKV_AWS_88 |
resource |
aws_instance |
EC2 instance should not have public IP. |
Terraform |
EC2PublicIP.py |
375 |
CKV_AWS_88 |
resource |
aws_launch_template |
EC2 instance should not have public IP. |
Terraform |
EC2PublicIP.py |
376 |
CKV_AWS_89 |
resource |
AWS::DMS::ReplicationInstance |
DMS replication instance should not be publicly accessible |
Cloudformation |
DMSReplicationInstancePubliclyAccessible.py |
377 |
CKV_AWS_89 |
resource |
aws_dms_replication_instance |
DMS replication instance should not be publicly accessible |
Terraform |
DMSReplicationInstancePubliclyAccessible.py |
378 |
CKV_AWS_90 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocumentDB TLS is not disabled |
Cloudformation |
DocDBTLS.py |
379 |
CKV_AWS_90 |
resource |
aws_docdb_cluster_parameter_group |
Ensure DocumentDB TLS is not disabled |
Terraform |
DocDBTLS.py |
380 |
CKV_AWS_91 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Cloudformation |
ELBv2AccessLogs.py |
381 |
CKV_AWS_91 |
resource |
aws_alb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
ELBv2AccessLogs.py |
382 |
CKV_AWS_91 |
resource |
aws_lb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
ELBv2AccessLogs.py |
383 |
CKV_AWS_92 |
resource |
AWS::ElasticLoadBalancing::LoadBalancer |
Ensure the ELB has access logging enabled |
Cloudformation |
ELBAccessLogs.py |
384 |
CKV_AWS_92 |
resource |
aws_elb |
Ensure the ELB has access logging enabled |
Terraform |
ELBAccessLogs.py |
385 |
CKV_AWS_93 |
resource |
aws_s3_bucket |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
S3ProtectAgainstPolicyLockout.py |
386 |
CKV_AWS_93 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
S3ProtectAgainstPolicyLockout.py |
387 |
CKV_AWS_94 |
resource |
AWS::Glue::DataCatalogEncryptionSettings |
Ensure Glue Data Catalog Encryption is enabled |
Cloudformation |
GlueDataCatalogEncryption.py |
388 |
CKV_AWS_94 |
resource |
aws_glue_data_catalog_encryption_settings |
Ensure Glue Data Catalog Encryption is enabled |
Terraform |
GlueDataCatalogEncryption.py |
389 |
CKV_AWS_95 |
resource |
AWS::ApiGatewayV2::Stage |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
APIGatewayV2AccessLogging.py |
390 |
CKV_AWS_95 |
resource |
AWS::Serverless::HttpApi |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
APIGatewayV2AccessLogging.py |
391 |
CKV_AWS_96 |
resource |
AWS::RDS::DBCluster |
Ensure all data stored in Aurora is securely encrypted at rest |
Cloudformation |
AuroraEncryption.py |
392 |
CKV_AWS_96 |
resource |
aws_rds_cluster |
Ensure all data stored in Aurora is securely encrypted at rest |
Terraform |
AuroraEncryption.py |
393 |
CKV_AWS_97 |
resource |
AWS::ECS::TaskDefinition |
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions |
Cloudformation |
ECSTaskDefinitionEFSVolumeEncryption.py |
394 |
CKV_AWS_97 |
resource |
aws_ecs_task_definition |
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions |
Terraform |
ECSTaskDefinitionEFSVolumeEncryption.py |
395 |
CKV_AWS_98 |
resource |
aws_sagemaker_endpoint_configuration |
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest |
Terraform |
SagemakerEndpointConfigurationEncryption.py |
396 |
CKV_AWS_99 |
resource |
AWS::Glue::SecurityConfiguration |
Ensure Glue Security Configuration Encryption is enabled |
Cloudformation |
GlueSecurityConfiguration.py |
397 |
CKV_AWS_99 |
resource |
aws_glue_security_configuration |
Ensure Glue Security Configuration Encryption is enabled |
Terraform |
GlueSecurityConfiguration.py |
398 |
CKV_AWS_100 |
resource |
AWS::EKS::Nodegroup |
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 |
Cloudformation |
EKSNodeGroupRemoteAccess.py |
399 |
CKV_AWS_100 |
resource |
aws_eks_node_group |
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 |
Terraform |
EKSNodeGroupRemoteAccess.py |
400 |
CKV_AWS_101 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune logging is enabled |
Cloudformation |
NeptuneClusterLogging.py |
401 |
CKV_AWS_101 |
resource |
aws_neptune_cluster |
Ensure Neptune logging is enabled |
Terraform |
NeptuneClusterLogging.py |
402 |
CKV_AWS_102 |
resource |
aws_neptune_cluster_instance |
Ensure Neptune Cluster instance is not publicly available |
Terraform |
NeptuneClusterInstancePublic.py |
403 |
CKV_AWS_103 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure that Load Balancer Listener is using at least TLS v1.2 |
Cloudformation |
ALBListenerTLS12.py |
404 |
CKV_AWS_103 |
resource |
aws_alb_listener |
Ensure that load balancer is using at least TLS 1.2 |
Terraform |
AppLoadBalancerTLS12.yaml |
405 |
CKV_AWS_103 |
resource |
aws_lb |
Ensure that load balancer is using at least TLS 1.2 |
Terraform |
AppLoadBalancerTLS12.yaml |
406 |
CKV_AWS_103 |
resource |
aws_lb_listener |
Ensure that load balancer is using at least TLS 1.2 |
Terraform |
AppLoadBalancerTLS12.yaml |
407 |
CKV_AWS_104 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocumentDB has audit logs enabled |
Cloudformation |
DocDBAuditLogs.py |
408 |
CKV_AWS_104 |
resource |
aws_docdb_cluster_parameter_group |
Ensure DocumentDB has audit logs enabled |
Terraform |
DocDBAuditLogs.py |
409 |
CKV_AWS_105 |
resource |
AWS::Redshift::ClusterParameterGroup |
Ensure Redshift uses SSL |
Cloudformation |
RedShiftSSL.py |
410 |
CKV_AWS_105 |
resource |
aws_redshift_parameter_group |
Ensure Redshift uses SSL |
Terraform |
RedShiftSSL.py |
411 |
CKV_AWS_106 |
resource |
aws_ebs_encryption_by_default |
Ensure EBS default encryption is enabled |
Terraform |
EBSDefaultEncryption.py |
412 |
CKV_AWS_107 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
413 |
CKV_AWS_107 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
414 |
CKV_AWS_107 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
415 |
CKV_AWS_107 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
416 |
CKV_AWS_107 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
417 |
CKV_AWS_107 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow credentials exposure |
Terraform |
IAMCredentialsExposure.py |
418 |
CKV_AWS_108 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
419 |
CKV_AWS_108 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
420 |
CKV_AWS_108 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
421 |
CKV_AWS_108 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
422 |
CKV_AWS_108 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
423 |
CKV_AWS_108 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow data exfiltration |
Terraform |
IAMDataExfiltration.py |
424 |
CKV_AWS_109 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
425 |
CKV_AWS_109 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
426 |
CKV_AWS_109 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
427 |
CKV_AWS_109 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
428 |
CKV_AWS_109 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
429 |
CKV_AWS_109 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
IAMPermissionsManagement.py |
430 |
CKV_AWS_110 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
431 |
CKV_AWS_110 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
432 |
CKV_AWS_110 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
433 |
CKV_AWS_110 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
434 |
CKV_AWS_110 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
435 |
CKV_AWS_110 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow privilege escalation |
Terraform |
IAMPrivilegeEscalation.py |
436 |
CKV_AWS_111 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
437 |
CKV_AWS_111 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
438 |
CKV_AWS_111 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
439 |
CKV_AWS_111 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
440 |
CKV_AWS_111 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
441 |
CKV_AWS_111 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow write access without constraints |
Terraform |
IAMWriteAccess.py |
442 |
CKV_AWS_112 |
resource |
aws_ssm_document |
Ensure Session Manager data is encrypted in transit |
Terraform |
SSMSessionManagerDocumentEncryption.py |
443 |
CKV_AWS_113 |
resource |
aws_ssm_document |
Ensure Session Manager logs are enabled and encrypted |
Terraform |
SSMSessionManagerDocumentLogging.py |
444 |
CKV_AWS_114 |
resource |
aws_emr_cluster |
Ensure that EMR clusters with Kerberos have Kerberos Realm set |
Terraform |
EMRClusterKerberosAttributes.py |
445 |
CKV_AWS_115 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Cloudformation |
LambdaFunctionLevelConcurrentExecutionLimit.py |
446 |
CKV_AWS_115 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Cloudformation |
LambdaFunctionLevelConcurrentExecutionLimit.py |
447 |
CKV_AWS_115 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Terraform |
LambdaFunctionLevelConcurrentExecutionLimit.py |
448 |
CKV_AWS_116 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Cloudformation |
LambdaDLQConfigured.py |
449 |
CKV_AWS_116 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Cloudformation |
LambdaDLQConfigured.py |
450 |
CKV_AWS_116 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Terraform |
LambdaDLQConfigured.py |
451 |
CKV_AWS_117 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured inside a VPC |
Cloudformation |
LambdaInVPC.py |
452 |
CKV_AWS_117 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured inside a VPC |
Cloudformation |
LambdaInVPC.py |
453 |
CKV_AWS_117 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured inside a VPC |
Terraform |
LambdaInVPC.py |
454 |
CKV_AWS_118 |
resource |
AWS::RDS::DBInstance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Cloudformation |
RDSEnhancedMonitorEnabled.py |
455 |
CKV_AWS_118 |
resource |
aws_db_instance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Terraform |
RDSEnhancedMonitorEnabled.py |
456 |
CKV_AWS_118 |
resource |
aws_rds_cluster_instance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Terraform |
RDSEnhancedMonitorEnabled.py |
457 |
CKV_AWS_119 |
resource |
AWS::DynamoDB::Table |
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK |
Cloudformation |
DynamoDBTablesEncrypted.py |
458 |
CKV_AWS_119 |
resource |
aws_dynamodb_table |
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK |
Terraform |
DynamoDBTablesEncrypted.py |
459 |
CKV_AWS_120 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway caching is enabled |
Cloudformation |
APIGatewayCacheEnable.py |
460 |
CKV_AWS_120 |
resource |
AWS::Serverless::Api |
Ensure API Gateway caching is enabled |
Cloudformation |
APIGatewayCacheEnable.py |
461 |
CKV_AWS_120 |
resource |
aws_api_gateway_stage |
Ensure API Gateway caching is enabled |
Terraform |
APIGatewayCacheEnable.py |
462 |
CKV_AWS_121 |
resource |
aws_config_configuration_aggregator |
Ensure AWS Config is enabled in all regions |
Terraform |
ConfigConfgurationAggregatorAllRegions.py |
463 |
CKV_AWS_122 |
resource |
aws_sagemaker_notebook_instance |
Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance |
Terraform |
SageMakerInternetAccessDisabled.py |
464 |
CKV_AWS_123 |
resource |
AWS::EC2::VPCEndpointService |
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Cloudformation |
VPCEndpointAcceptanceConfigured.py |
465 |
CKV_AWS_123 |
resource |
aws_vpc_endpoint_service |
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Terraform |
VPCEndpointAcceptanceConfigured.py |
466 |
CKV_AWS_124 |
resource |
aws_cloudformation_stack |
Ensure that CloudFormation stacks are sending event notifications to an SNS topic |
Terraform |
CloudformationStackNotificationArns.py |
467 |
CKV_AWS_126 |
resource |
aws_instance |
Ensure that detailed monitoring is enabled for EC2 instances |
Terraform |
EC2DetailedMonitoringEnabled.py |
468 |
CKV_AWS_127 |
resource |
aws_elb |
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager |
Terraform |
ELBUsesSSL.py |
469 |
CKV_AWS_129 |
resource |
aws_db_instance |
Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled |
Terraform |
DBInstanceLogging.py |
470 |
CKV_AWS_130 |
resource |
aws_subnet |
Ensure VPC subnets do not assign public IP by default |
Terraform |
SubnetPublicIP.py |
471 |
CKV_AWS_131 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure that ALB drops HTTP headers |
Cloudformation |
ALBDropHttpHeaders.py |
472 |
CKV_AWS_131 |
resource |
aws_alb |
Ensure that ALB drops HTTP headers |
Terraform |
ALBDropHttpHeaders.py |
473 |
CKV_AWS_131 |
resource |
aws_lb |
Ensure that ALB drops HTTP headers |
Terraform |
ALBDropHttpHeaders.py |
474 |
CKV_AWS_133 |
resource |
aws_db_instance |
Ensure that RDS instances has backup policy |
Terraform |
DBInstanceBackupRetentionPeriod.py |
475 |
CKV_AWS_133 |
resource |
aws_rds_cluster |
Ensure that RDS instances has backup policy |
Terraform |
DBInstanceBackupRetentionPeriod.py |
476 |
CKV_AWS_134 |
resource |
aws_elasticache_cluster |
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on |
Terraform |
ElasticCacheAutomaticBackup.py |
477 |
CKV_AWS_135 |
resource |
[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
478 |
CKV_AWS_135 |
resource |
[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
479 |
CKV_AWS_135 |
resource |
[].block[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
480 |
CKV_AWS_135 |
resource |
[].block[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
481 |
CKV_AWS_135 |
resource |
[].block[].block[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
482 |
CKV_AWS_135 |
resource |
[].block[].block[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
483 |
CKV_AWS_135 |
resource |
[].block[].block[].block[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
484 |
CKV_AWS_135 |
resource |
[].block[].block[].block[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
485 |
CKV_AWS_135 |
resource |
[].tasks[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
486 |
CKV_AWS_135 |
resource |
[].tasks[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
487 |
CKV_AWS_135 |
resource |
[].tasks[].block[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
488 |
CKV_AWS_135 |
resource |
[].tasks[].block[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
489 |
CKV_AWS_135 |
resource |
[].tasks[].block[].block[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
490 |
CKV_AWS_135 |
resource |
[].tasks[].block[].block[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
491 |
CKV_AWS_135 |
resource |
[].tasks[].block[].block[].block[?”amazon.aws.ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
492 |
CKV_AWS_135 |
resource |
[].tasks[].block[].block[].block[?”ec2_instance” != null][] |
Ensure that EC2 is EBS optimized |
Ansible |
EC2EBSOptimized.py |
493 |
CKV_AWS_135 |
resource |
aws_instance |
Ensure that EC2 is EBS optimized |
Terraform |
EC2EBSOptimized.py |
494 |
CKV_AWS_136 |
resource |
AWS::ECR::Repository |
Ensure that ECR repositories are encrypted using KMS |
Cloudformation |
ECRRepositoryEncrypted.py |
495 |
CKV_AWS_136 |
resource |
aws_ecr_repository |
Ensure that ECR repositories are encrypted using KMS |
Terraform |
ECRRepositoryEncrypted.py |
496 |
CKV_AWS_137 |
resource |
aws_elasticsearch_domain |
Ensure that Elasticsearch is configured inside a VPC |
Terraform |
ElasticsearchInVPC.py |
497 |
CKV_AWS_137 |
resource |
aws_opensearch_domain |
Ensure that Elasticsearch is configured inside a VPC |
Terraform |
ElasticsearchInVPC.py |
498 |
CKV_AWS_138 |
resource |
aws_elb |
Ensure that ELB is cross-zone-load-balancing enabled |
Terraform |
ELBCrossZoneEnable.py |
499 |
CKV_AWS_139 |
resource |
aws_rds_cluster |
Ensure that RDS clusters have deletion protection enabled |
Terraform |
RDSDeletionProtection.py |
500 |
CKV_AWS_140 |
resource |
aws_rds_global_cluster |
Ensure that RDS global clusters are encrypted |
Terraform |
RDSClusterEncrypted.py |
501 |
CKV_AWS_141 |
resource |
aws_redshift_cluster |
Ensured that Redshift cluster allowing version upgrade by default |
Terraform |
RedshiftClusterAllowVersionUpgrade.py |
502 |
CKV_AWS_142 |
resource |
aws_redshift_cluster |
Ensure that Redshift cluster is encrypted by KMS |
Terraform |
RedshiftClusterKMSKey.py |
503 |
CKV_AWS_143 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has lock configuration enabled by default |
Terraform |
S3BucketObjectLock.py |
504 |
CKV_AWS_144 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has cross-region replication enabled |
Terraform |
S3BucketReplicationConfiguration.yaml |
505 |
CKV_AWS_144 |
resource |
aws_s3_bucket_replication_configuration |
Ensure that S3 bucket has cross-region replication enabled |
Terraform |
S3BucketReplicationConfiguration.yaml |
506 |
CKV_AWS_145 |
resource |
aws_s3_bucket |
Ensure that S3 buckets are encrypted with KMS by default |
Terraform |
S3KMSEncryptedByDefault.yaml |
507 |
CKV_AWS_145 |
resource |
aws_s3_bucket_server_side_encryption_configuration |
Ensure that S3 buckets are encrypted with KMS by default |
Terraform |
S3KMSEncryptedByDefault.yaml |
508 |
CKV_AWS_146 |
resource |
aws_db_cluster_snapshot |
Ensure that RDS database cluster snapshot is encrypted |
Terraform |
RDSClusterSnapshotEncrypted.py |
509 |
CKV_AWS_147 |
resource |
aws_codebuild_project |
Ensure that CodeBuild projects are encrypted using CMK |
Terraform |
CodebuildUsesCMK.py |
510 |
CKV_AWS_148 |
resource |
aws_default_vpc |
Ensure no default VPC is planned to be provisioned |
Terraform |
VPCDefaultNetwork.py |
511 |
CKV_AWS_149 |
resource |
AWS::SecretsManager::Secret |
Ensure that Secrets Manager secret is encrypted using KMS CMK |
Cloudformation |
SecretManagerSecretEncrypted.py |
512 |
CKV_AWS_149 |
resource |
aws_secretsmanager_secret |
Ensure that Secrets Manager secret is encrypted using KMS CMK |
Terraform |
SecretManagerSecretEncrypted.py |
513 |
CKV_AWS_150 |
resource |
aws_alb |
Ensure that Load Balancer has deletion protection enabled |
Terraform |
LBDeletionProtection.py |
514 |
CKV_AWS_150 |
resource |
aws_lb |
Ensure that Load Balancer has deletion protection enabled |
Terraform |
LBDeletionProtection.py |
515 |
CKV_AWS_152 |
resource |
aws_alb |
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled |
Terraform |
LBCrossZone.py |
516 |
CKV_AWS_152 |
resource |
aws_lb |
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled |
Terraform |
LBCrossZone.py |
517 |
CKV_AWS_153 |
resource |
aws_autoscaling_group |
Autoscaling groups should supply tags to launch configurations |
Terraform |
AutoScalingTagging.py |
518 |
CKV_AWS_154 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift is not deployed outside of a VPC |
Cloudformation |
RedshiftInEc2ClassicMode.py |
519 |
CKV_AWS_154 |
resource |
aws_redshift_cluster |
Ensure Redshift is not deployed outside of a VPC |
Terraform |
RedshiftInEc2ClassicMode.py |
520 |
CKV_AWS_155 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace user volumes are encrypted |
Cloudformation |
WorkspaceUserVolumeEncrypted.py |
521 |
CKV_AWS_155 |
resource |
aws_workspaces_workspace |
Ensure that Workspace user volumes are encrypted |
Terraform |
WorkspaceUserVolumeEncrypted.py |
522 |
CKV_AWS_156 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace root volumes are encrypted |
Cloudformation |
WorkspaceRootVolumeEncrypted.py |
523 |
CKV_AWS_156 |
resource |
aws_workspaces_workspace |
Ensure that Workspace root volumes are encrypted |
Terraform |
WorkspaceRootVolumeEncrypted.py |
524 |
CKV_AWS_157 |
resource |
AWS::RDS::DBInstance |
Ensure that RDS instances have Multi-AZ enabled |
Cloudformation |
RDSMultiAZEnabled.py |
525 |
CKV_AWS_157 |
resource |
aws_db_instance |
Ensure that RDS instances have Multi-AZ enabled |
Terraform |
RDSMultiAZEnabled.py |
526 |
CKV_AWS_158 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group is encrypted by KMS |
Cloudformation |
CloudWatchLogGroupKMSKey.py |
527 |
CKV_AWS_158 |
resource |
aws_cloudwatch_log_group |
Ensure that CloudWatch Log Group is encrypted by KMS |
Terraform |
CloudWatchLogGroupKMSKey.py |
528 |
CKV_AWS_159 |
resource |
aws_athena_workgroup |
Ensure that Athena Workgroup is encrypted |
Terraform |
AthenaWorkgroupEncryption.py |
529 |
CKV_AWS_160 |
resource |
AWS::Timestream::Database |
Ensure that Timestream database is encrypted with KMS CMK |
Cloudformation |
TimestreamDatabaseKMSKey.py |
530 |
CKV_AWS_160 |
resource |
aws_timestreamwrite_database |
Ensure that Timestream database is encrypted with KMS CMK |
Terraform |
TimestreamDatabaseKMSKey.py |
531 |
CKV_AWS_161 |
resource |
AWS::RDS::DBInstance |
Ensure RDS database has IAM authentication enabled |
Cloudformation |
RDSIAMAuthentication.py |
532 |
CKV_AWS_161 |
resource |
aws_db_instance |
Ensure RDS database has IAM authentication enabled |
Terraform |
RDSIAMAuthentication.py |
533 |
CKV_AWS_162 |
resource |
AWS::RDS::DBCluster |
Ensure RDS cluster has IAM authentication enabled |
Cloudformation |
RDSClusterIAMAuthentication.py |
534 |
CKV_AWS_162 |
resource |
aws_rds_cluster |
Ensure RDS cluster has IAM authentication enabled |
Terraform |
RDSClusterIAMAuthentication.py |
535 |
CKV_AWS_163 |
resource |
AWS::ECR::Repository |
Ensure ECR image scanning on push is enabled |
Cloudformation |
ECRImageScanning.py |
536 |
CKV_AWS_163 |
resource |
aws_ecr_repository |
Ensure ECR image scanning on push is enabled |
Terraform |
ECRImageScanning.py |
537 |
CKV_AWS_164 |
resource |
AWS::Transfer::Server |
Ensure Transfer Server is not exposed publicly. |
Cloudformation |
TransferServerIsPublic.py |
538 |
CKV_AWS_164 |
resource |
aws_transfer_server |
Ensure Transfer Server is not exposed publicly. |
Terraform |
TransferServerIsPublic.py |
539 |
CKV_AWS_165 |
resource |
AWS::DynamoDB::GlobalTable |
Ensure DynamoDB global table point in time recovery (backup) is enabled |
Cloudformation |
DynamodbGlobalTableRecovery.py |
540 |
CKV_AWS_165 |
resource |
aws_dynamodb_global_table |
Ensure DynamoDB point in time recovery (backup) is enabled for global tables |
Terraform |
DynamoDBGlobalTableRecovery.py |
541 |
CKV_AWS_166 |
resource |
AWS::Backup::BackupVault |
Ensure Backup Vault is encrypted at rest using KMS CMK |
Cloudformation |
BackupVaultEncrypted.py |
542 |
CKV_AWS_166 |
resource |
aws_backup_vault |
Ensure Backup Vault is encrypted at rest using KMS CMK |
Terraform |
BackupVaultEncrypted.py |
543 |
CKV_AWS_167 |
resource |
aws_glacier_vault |
Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it |
Terraform |
GlacierVaultAnyPrincipal.py |
544 |
CKV_AWS_168 |
resource |
aws_sqs_queue |
Ensure SQS queue policy is not public by only allowing specific services or principals to access it |
Terraform |
SQSQueuePolicyAnyPrincipal.py |
545 |
CKV_AWS_168 |
resource |
aws_sqs_queue_policy |
Ensure SQS queue policy is not public by only allowing specific services or principals to access it |
Terraform |
SQSQueuePolicyAnyPrincipal.py |
546 |
CKV_AWS_169 |
resource |
aws_sns_topic_policy |
Ensure SNS topic policy is not public by only allowing specific services or principals to access it |
Terraform |
SNSTopicPolicyAnyPrincipal.py |
547 |
CKV_AWS_170 |
resource |
AWS::QLDB::Ledger |
Ensure QLDB ledger permissions mode is set to STANDARD |
Cloudformation |
QLDBLedgerPermissionsMode.py |
548 |
CKV_AWS_170 |
resource |
aws_qldb_ledger |
Ensure QLDB ledger permissions mode is set to STANDARD |
Terraform |
QLDBLedgerPermissionsMode.py |
549 |
CKV_AWS_171 |
resource |
aws_emr_security_configuration |
Ensure EMR Cluster security configuration encryption is using SSE-KMS |
Terraform |
EMRClusterIsEncryptedKMS.py |
550 |
CKV_AWS_172 |
resource |
AWS::QLDB::Ledger |
Ensure QLDB ledger has deletion protection enabled |
Cloudformation |
QLDBLedgerDeletionProtection.py |
551 |
CKV_AWS_172 |
resource |
aws_qldb_ledger |
Ensure QLDB ledger has deletion protection enabled |
Terraform |
QLDBLedgerDeletionProtection.py |
552 |
CKV_AWS_173 |
resource |
AWS::Lambda::Function |
Check encryption settings for Lambda environment variable |
Cloudformation |
LambdaEnvironmentEncryptionSettings.py |
553 |
CKV_AWS_173 |
resource |
AWS::Serverless::Function |
Check encryption settings for Lambda environment variable |
Cloudformation |
LambdaEnvironmentEncryptionSettings.py |
554 |
CKV_AWS_173 |
resource |
aws_lambda_function |
Check encryption settings for Lambda environmental variable |
Terraform |
LambdaEnvironmentEncryptionSettings.py |
555 |
CKV_AWS_174 |
resource |
AWS::CloudFront::Distribution |
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 |
Cloudformation |
CloudFrontTLS12.py |
556 |
CKV_AWS_174 |
resource |
aws_cloudfront_distribution |
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 |
Terraform |
CloudfrontTLS12.py |
557 |
CKV_AWS_175 |
resource |
aws_waf_web_acl |
Ensure WAF has associated rules |
Terraform |
WAFHasAnyRules.py |
558 |
CKV_AWS_175 |
resource |
aws_wafregional_web_acl |
Ensure WAF has associated rules |
Terraform |
WAFHasAnyRules.py |
559 |
CKV_AWS_175 |
resource |
aws_wafv2_web_acl |
Ensure WAF has associated rules |
Terraform |
WAFHasAnyRules.py |
560 |
CKV_AWS_176 |
resource |
aws_waf_web_acl |
Ensure Logging is enabled for WAF Web Access Control Lists |
Terraform |
WAFHasLogs.py |
561 |
CKV_AWS_176 |
resource |
aws_wafregional_web_acl |
Ensure Logging is enabled for WAF Web Access Control Lists |
Terraform |
WAFHasLogs.py |
562 |
CKV_AWS_177 |
resource |
aws_kinesis_video_stream |
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
KinesisVideoEncryptedWithCMK.py |
563 |
CKV_AWS_178 |
resource |
aws_fsx_ontap_file_system |
Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
FSXOntapFSEncryptedWithCMK.py |
564 |
CKV_AWS_179 |
resource |
aws_fsx_windows_file_system |
Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
FSXWindowsFSEncryptedWithCMK.py |
565 |
CKV_AWS_180 |
resource |
aws_imagebuilder_component |
Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
ImagebuilderComponentEncryptedWithCMK.py |
566 |
CKV_AWS_181 |
resource |
aws_s3_object_copy |
Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
S3ObjectCopyEncryptedWithCMK.py |
567 |
CKV_AWS_182 |
resource |
aws_docdb_cluster |
Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
DocDBEncryptedWithCMK.py |
568 |
CKV_AWS_183 |
resource |
aws_ebs_snapshot_copy |
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
EBSSnapshotCopyEncryptedWithCMK.py |
569 |
CKV_AWS_184 |
resource |
aws_efs_file_system |
Ensure resource is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
EFSFileSystemEncryptedWithCMK.py |
570 |
CKV_AWS_185 |
resource |
aws_kinesis_stream |
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
KinesisStreamEncryptedWithCMK.py |
571 |
CKV_AWS_186 |
resource |
aws_s3_bucket_object |
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
S3BucketObjectEncryptedWithCMK.py |
572 |
CKV_AWS_187 |
resource |
AWS::SageMaker::Domain |
Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) |
Cloudformation |
SagemakerNotebookEncryptedWithCMK.py |
573 |
CKV_AWS_187 |
resource |
AWS::SageMaker::NotebookInstance |
Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) |
Cloudformation |
SagemakerNotebookEncryptedWithCMK.py |
574 |
CKV_AWS_187 |
resource |
aws_sagemaker_domain |
Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) |
Terraform |
SagemakerDomainEncryptedWithCMK.py |
575 |
CKV_AWS_187 |
resource |
aws_sagemaker_notebook_instance |
Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) |
Terraform |
SagemakerDomainEncryptedWithCMK.py |
576 |
CKV_AWS_189 |
resource |
aws_ebs_volume |
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
EBSVolumeEncryptedWithCMK.py |
577 |
CKV_AWS_190 |
resource |
aws_fsx_lustre_file_system |
Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
LustreFSEncryptedWithCMK.py |
578 |
CKV_AWS_191 |
resource |
aws_elasticache_replication_group |
Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
ElasticacheReplicationGroupEncryptedWithCMK.py |
579 |
CKV_AWS_192 |
resource |
AWS::WAFv2::WebACL |
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Cloudformation |
WAFACLCVE202144228.py |
580 |
CKV_AWS_192 |
resource |
aws_wafv2_web_acl |
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Terraform |
WAFACLCVE202144228.py |
581 |
CKV_AWS_193 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync has Logging enabled |
Cloudformation |
AppSyncLogging.py |
582 |
CKV_AWS_193 |
resource |
aws_appsync_graphql_api |
Ensure AppSync has Logging enabled |
Terraform |
AppSyncLogging.py |
583 |
CKV_AWS_194 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync has Field-Level logs enabled |
Cloudformation |
AppSyncFieldLevelLogs.py |
584 |
CKV_AWS_194 |
resource |
aws_appsync_graphql_api |
Ensure AppSync has Field-Level logs enabled |
Terraform |
AppSyncFieldLevelLogs.py |
585 |
CKV_AWS_195 |
resource |
AWS::Glue::Crawler |
Ensure Glue component has a security configuration associated |
Cloudformation |
GlueSecurityConfigurationEnabled.py |
586 |
CKV_AWS_195 |
resource |
AWS::Glue::DevEndpoint |
Ensure Glue component has a security configuration associated |
Cloudformation |
GlueSecurityConfigurationEnabled.py |
587 |
CKV_AWS_195 |
resource |
AWS::Glue::Job |
Ensure Glue component has a security configuration associated |
Cloudformation |
GlueSecurityConfigurationEnabled.py |
588 |
CKV_AWS_195 |
resource |
aws_glue_crawler |
Ensure Glue component has a security configuration associated |
Terraform |
GlueSecurityConfigurationEnabled.py |
589 |
CKV_AWS_195 |
resource |
aws_glue_dev_endpoint |
Ensure Glue component has a security configuration associated |
Terraform |
GlueSecurityConfigurationEnabled.py |
590 |
CKV_AWS_195 |
resource |
aws_glue_job |
Ensure Glue component has a security configuration associated |
Terraform |
GlueSecurityConfigurationEnabled.py |
591 |
CKV_AWS_196 |
resource |
aws_elasticache_security_group |
Ensure no aws_elasticache_security_group resources exist |
Terraform |
ElasticacheHasSecurityGroup.py |
592 |
CKV_AWS_197 |
resource |
AWS::AmazonMQ::Broker |
Ensure MQ Broker Audit logging is enabled |
Cloudformation |
MQBrokerAuditLogging.py |
593 |
CKV_AWS_197 |
resource |
aws_mq_broker |
Ensure MQ Broker Audit logging is enabled |
Terraform |
MQBrokerAuditLogging.py |
594 |
CKV_AWS_198 |
resource |
aws_db_security_group |
Ensure no aws_db_security_group resources exist |
Terraform |
RDSHasSecurityGroup.py |
595 |
CKV_AWS_199 |
resource |
aws_imagebuilder_distribution_configuration |
Ensure Image Builder Distribution Configuration encrypts AMI’s using KMS - a customer managed Key (CMK) |
Terraform |
ImagebuilderDistributionConfigurationEncryptedWithCMK.py |
596 |
CKV_AWS_200 |
resource |
aws_imagebuilder_image_recipe |
Ensure that Image Recipe EBS Disk are encrypted with CMK |
Terraform |
ImagebuilderImageRecipeEBSEncrypted.py |
597 |
CKV_AWS_201 |
resource |
aws_memorydb_cluster |
Ensure MemoryDB is encrypted at rest using KMS CMKs |
Terraform |
MemoryDBEncryptionWithCMK.py |
598 |
CKV_AWS_202 |
resource |
aws_memorydb_cluster |
Ensure MemoryDB data is encrypted in transit |
Terraform |
MemoryDBClusterIntransitEncryption.py |
599 |
CKV_AWS_203 |
resource |
aws_fsx_openzfs_file_system |
Ensure resource is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
FSXOpenZFSFileSystemEncryptedWithCMK.py |
600 |
CKV_AWS_204 |
resource |
aws_ami |
Ensure AMIs are encrypted using KMS CMKs |
Terraform |
AMIEncryption.py |
601 |
CKV_AWS_205 |
resource |
aws_ami_launch_permission |
Ensure to Limit AMI launch Permissions |
Terraform |
AMILaunchIsShared.py |
602 |
CKV_AWS_206 |
resource |
aws_api_gateway_domain_name |
Ensure API Gateway Domain uses a modern security Policy |
Terraform |
APIGatewayDomainNameTLS.py |
603 |
CKV_AWS_207 |
resource |
aws_mq_broker |
Ensure MQ Broker minor version updates are enabled |
Terraform |
MQBrokerMinorAutoUpgrade.py |
604 |
CKV_AWS_208 |
resource |
aws_mq_broker |
Ensure MQ Broker version is current |
Terraform |
MQBrokerVersion.py |
605 |
CKV_AWS_208 |
resource |
aws_mq_configuration |
Ensure MQ Broker version is current |
Terraform |
MQBrokerVersion.py |
606 |
CKV_AWS_209 |
resource |
aws_mq_broker |
Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) |
Terraform |
MQBrokerEncryptedWithCMK.py |
607 |
CKV_AWS_210 |
resource |
aws_batch_job_definition |
Batch job does not define a privileged container |
Terraform |
BatchJobIsNotPrivileged.py |
608 |
CKV_AWS_211 |
resource |
aws_db_instance |
Ensure RDS uses a modern CaCert |
Terraform |
RDSCACertIsRecent.py |
609 |
CKV_AWS_212 |
resource |
aws_dms_replication_instance |
Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
DMSReplicationInstanceEncryptedWithCMK.py |
610 |
CKV_AWS_213 |
resource |
aws_load_balancer_policy |
Ensure ELB Policy uses only secure protocols |
Terraform |
ELBPolicyUsesSecureProtocols.py |
611 |
CKV_AWS_214 |
resource |
aws_appsync_api_cache |
Ensure AppSync API Cache is encrypted at rest |
Terraform |
AppsyncAPICacheEncryptionAtRest.py |
612 |
CKV_AWS_215 |
resource |
aws_appsync_api_cache |
Ensure AppSync API Cache is encrypted in transit |
Terraform |
AppsyncAPICacheEncryptionInTransit.py |
613 |
CKV_AWS_216 |
resource |
aws_cloudfront_distribution |
Ensure CloudFront distribution is enabled |
Terraform |
CloudfrontDistributionEnabled.py |
614 |
CKV_AWS_217 |
resource |
aws_api_gateway_deployment |
Ensure Create before destroy for API deployments |
Terraform |
APIGatewayDeploymentCreateBeforeDestroy.py |
615 |
CKV_AWS_218 |
resource |
aws_cloudsearch_domain |
Ensure that CloudSearch is using latest TLS |
Terraform |
CloudsearchDomainTLS.py |
616 |
CKV_AWS_219 |
resource |
aws_codepipeline |
Ensure CodePipeline Artifact store is using a KMS CMK |
Terraform |
CodePipelineArtifactsEncrypted.py |
617 |
CKV_AWS_220 |
resource |
aws_cloudsearch_domain |
Ensure that CloudSearch is using https |
Terraform |
CloudsearchDomainEnforceHttps.py |
618 |
CKV_AWS_221 |
resource |
aws_codeartifact_domain |
Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
CodeArtifactDomainEncryptedWithCMK.py |
619 |
CKV_AWS_222 |
resource |
aws_dms_replication_instance |
Ensure DMS replication instance gets all minor upgrade automatically |
Terraform |
DMSReplicationInstanceMinorUpgrade.py |
620 |
CKV_AWS_223 |
resource |
aws_ecs_cluster |
Ensure ECS Cluster enables logging of ECS Exec |
Terraform |
ECSClusterLoggingEnabled.py |
621 |
CKV_AWS_224 |
resource |
aws_ecs_cluster |
Ensure ECS Cluster logging is enabled and client to container communication uses CMK |
Terraform |
ECSClusterLoggingEncryptedWithCMK.py |
622 |
CKV_AWS_225 |
resource |
aws_api_gateway_method_settings |
Ensure API Gateway method setting caching is enabled |
Terraform |
APIGatewayMethodSettingsCacheEnabled.py |
623 |
CKV_AWS_226 |
resource |
aws_db_instance |
Ensure DB instance gets all minor upgrades automatically |
Terraform |
DBInstanceMinorUpgrade.py |
624 |
CKV_AWS_226 |
resource |
aws_rds_cluster_instance |
Ensure DB instance gets all minor upgrades automatically |
Terraform |
DBInstanceMinorUpgrade.py |
625 |
CKV_AWS_227 |
resource |
aws_kms_key |
Ensure KMS key is enabled |
Terraform |
KMSKeyIsEnabled.py |
626 |
CKV_AWS_228 |
resource |
aws_elasticsearch_domain |
Verify Elasticsearch domain is using an up to date TLS policy |
Terraform |
ElasticsearchTLSPolicy.py |
627 |
CKV_AWS_228 |
resource |
aws_opensearch_domain |
Verify Elasticsearch domain is using an up to date TLS policy |
Terraform |
ElasticsearchTLSPolicy.py |
628 |
CKV_AWS_229 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 |
Terraform |
NetworkACLUnrestrictedIngress21.py |
629 |
CKV_AWS_229 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 |
Terraform |
NetworkACLUnrestrictedIngress21.py |
630 |
CKV_AWS_230 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 |
Terraform |
NetworkACLUnrestrictedIngress20.py |
631 |
CKV_AWS_230 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 |
Terraform |
NetworkACLUnrestrictedIngress20.py |
632 |
CKV_AWS_231 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
NetworkACLUnrestrictedIngress3389.py |
633 |
CKV_AWS_231 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
NetworkACLUnrestrictedIngress3389.py |
634 |
CKV_AWS_232 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
NetworkACLUnrestrictedIngress22.py |
635 |
CKV_AWS_232 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
NetworkACLUnrestrictedIngress22.py |
636 |
CKV_AWS_233 |
resource |
aws_acm_certificate |
Ensure Create before destroy for ACM certificates |
Terraform |
ACMCertCreateBeforeDestroy.py |
637 |
CKV_AWS_234 |
resource |
aws_acm_certificate |
Verify logging preference for ACM certificates |
Terraform |
ACMCertSetLoggingPreference.py |
638 |
CKV_AWS_235 |
resource |
aws_ami_copy |
Ensure that copied AMIs are encrypted |
Terraform |
AMICopyIsEncrypted.py |
639 |
CKV_AWS_236 |
resource |
aws_ami_copy |
Ensure AMI copying uses a CMK |
Terraform |
AMICopyUsesCMK.py |
640 |
CKV_AWS_237 |
resource |
aws_api_gateway_rest_api |
Ensure Create before destroy for API Gateway |
Terraform |
APIGatewayCreateBeforeDestroy.py |
641 |
CKV_AWS_238 |
resource |
aws_guardduty_detector |
Ensure that GuardDuty detector is enabled |
Terraform |
GuarddutyDetectorEnabled.py |
642 |
CKV_AWS_239 |
resource |
aws_dax_cluster |
Ensure DAX cluster endpoint is using TLS |
Terraform |
DAXEndpointTLS.py |
643 |
CKV_AWS_240 |
resource |
aws_kinesis_firehose_delivery_stream |
Ensure Kinesis Firehose delivery stream is encrypted |
Terraform |
KinesisFirehoseDeliveryStreamSSE.py |
644 |
CKV_AWS_241 |
resource |
aws_kinesis_firehose_delivery_stream |
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK |
Terraform |
KinesisFirehoseDeliveryStreamUsesCMK.py |
645 |
CKV_AWS_242 |
resource |
aws_mwaa_environment |
Ensure MWAA environment has scheduler logs enabled |
Terraform |
MWAASchedulerLogsEnabled.py |
646 |
CKV_AWS_243 |
resource |
aws_mwaa_environment |
Ensure MWAA environment has worker logs enabled |
Terraform |
MWAAWorkerLogsEnabled.py |
647 |
CKV_AWS_244 |
resource |
aws_mwaa_environment |
Ensure MWAA environment has webserver logs enabled |
Terraform |
MWAAWebserverLogsEnabled.py |
648 |
CKV_AWS_245 |
resource |
aws_db_instance_automated_backups_replication |
Ensure replicated backups are encrypted at rest using KMS CMKs |
Terraform |
RDSInstanceAutoBackupEncryptionWithCMK.py |
649 |
CKV_AWS_246 |
resource |
aws_rds_cluster_activity_stream |
Ensure RDS Cluster activity streams are encrypted using KMS CMKs |
Terraform |
RDSClusterActivityStreamEncryptedWithCMK.py |
650 |
CKV_AWS_247 |
resource |
aws_elasticsearch_domain |
Ensure all data stored in the Elasticsearch is encrypted with a CMK |
Terraform |
ElasticsearchEncryptionWithCMK.py |
651 |
CKV_AWS_247 |
resource |
aws_opensearch_domain |
Ensure all data stored in the Elasticsearch is encrypted with a CMK |
Terraform |
ElasticsearchEncryptionWithCMK.py |
652 |
CKV_AWS_248 |
resource |
aws_elasticsearch_domain |
Ensure that Elasticsearch is not using the default Security Group |
Terraform |
ElasticsearchDefaultSG.py |
653 |
CKV_AWS_248 |
resource |
aws_opensearch_domain |
Ensure that Elasticsearch is not using the default Security Group |
Terraform |
ElasticsearchDefaultSG.py |
654 |
CKV_AWS_249 |
resource |
aws_ecs_task_definition |
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions |
Terraform |
ECSTaskDefinitionRoleCheck.py |
655 |
CKV_AWS_250 |
resource |
aws_db_instance |
Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) |
Terraform |
RDSPostgreSQLLogFDWExtension.py |
656 |
CKV_AWS_250 |
resource |
aws_rds_cluster |
Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) |
Terraform |
RDSPostgreSQLLogFDWExtension.py |
657 |
CKV_AWS_251 |
resource |
aws_cloudtrail |
Ensure CloudTrail logging is enabled |
Terraform |
CloudtrailEnableLogging.py |
658 |
CKV_AWS_252 |
resource |
aws_cloudtrail |
Ensure CloudTrail defines an SNS Topic |
Terraform |
CloudtrailDefinesSNSTopic.py |
659 |
CKV_AWS_253 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region events are encrypted |
Terraform |
DLMEventsCrossRegionEncryption.py |
660 |
CKV_AWS_254 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region events are encrypted with Customer Managed Key |
Terraform |
DLMEventsCrossRegionEncryptionWithCMK.py |
661 |
CKV_AWS_255 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region schedules are encrypted |
Terraform |
DLMScheduleCrossRegionEncryption.py |
662 |
CKV_AWS_256 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region schedules are encrypted using a Customer Managed Key |
Terraform |
DLMScheduleCrossRegionEncryptionWithCMK.py |
663 |
CKV_AWS_257 |
resource |
aws_codecommit_approval_rule_template |
Ensure CodeCommit branch changes have at least 2 approvals |
Terraform |
CodecommitApprovalsRulesRequireMin2.py |
664 |
CKV_AWS_258 |
resource |
AWS::Lambda::Url |
Ensure that Lambda function URLs AuthType is not None |
Cloudformation |
LambdaFunctionURLAuth.py |
665 |
CKV_AWS_258 |
resource |
aws_lambda_function_url |
Ensure that Lambda function URLs AuthType is not None |
Terraform |
LambdaFunctionURLAuth.py |
666 |
CKV_AWS_259 |
resource |
aws_cloudfront_response_headers_policy |
Ensure CloudFront response header policy enforces Strict Transport Security |
Terraform |
CloudFrontResponseHeaderStrictTransportSecurity.py |
667 |
CKV_AWS_260 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Cloudformation |
SecurityGroupUnrestrictedIngress80.py |
668 |
CKV_AWS_260 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Cloudformation |
SecurityGroupUnrestrictedIngress80.py |
669 |
CKV_AWS_260 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Terraform |
SecurityGroupUnrestrictedIngress80.py |
670 |
CKV_AWS_260 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Terraform |
SecurityGroupUnrestrictedIngress80.py |
671 |
CKV_AWS_260 |
resource |
aws_vpc_security_group_ingress_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Terraform |
SecurityGroupUnrestrictedIngress80.py |
672 |
CKV_AWS_261 |
resource |
aws_alb_target_group |
Ensure HTTP HTTPS Target group defines Healthcheck |
Terraform |
LBTargetGroupsDefinesHealthcheck.py |
673 |
CKV_AWS_261 |
resource |
aws_lb_target_group |
Ensure HTTP HTTPS Target group defines Healthcheck |
Terraform |
LBTargetGroupsDefinesHealthcheck.py |
674 |
CKV_AWS_262 |
resource |
aws_kendra_index |
Ensure Kendra index Server side encryption uses CMK |
Terraform |
KendraIndexSSEUsesCMK.py |
675 |
CKV_AWS_263 |
resource |
aws_appflow_flow |
Ensure AppFlow flow uses CMK |
Terraform |
AppFlowUsesCMK.py |
676 |
CKV_AWS_264 |
resource |
aws_appflow_connector_profile |
Ensure AppFlow connector profile uses CMK |
Terraform |
AppFlowConnectorProfileUsesCMK.py |
677 |
CKV_AWS_265 |
resource |
aws_keyspaces_table |
Ensure Keyspaces Table uses CMK |
Terraform |
KeyspacesTableUsesCMK.py |
678 |
CKV_AWS_266 |
resource |
aws_db_snapshot_copy |
Ensure DB Snapshot copy uses CMK |
Terraform |
DBSnapshotCopyUsesCMK.py |
679 |
CKV_AWS_267 |
resource |
aws_comprehend_entity_recognizer |
Ensure that Comprehend Entity Recognizer’s model is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
ComprehendEntityRecognizerModelUsesCMK.py |
680 |
CKV_AWS_268 |
resource |
aws_comprehend_entity_recognizer |
Ensure that Comprehend Entity Recognizer’s volume is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
ComprehendEntityRecognizerVolumeUsesCMK.py |
681 |
CKV_AWS_269 |
resource |
aws_connect_instance_storage_config |
Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK |
Terraform |
ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py |
682 |
CKV_AWS_270 |
resource |
aws_connect_instance_storage_config |
Ensure Connect Instance S3 Storage Config uses CMK |
Terraform |
ConnectInstanceS3StorageConfigUsesCMK.py |
683 |
CKV_AWS_271 |
resource |
aws_dynamodb_table_replica |
Ensure DynamoDB table replica KMS encryption uses CMK |
Terraform |
DynamoDBTableReplicaKMSUsesCMK.py |
684 |
CKV_AWS_272 |
resource |
aws_lambda_function |
Ensure AWS Lambda function is configured to validate code-signing |
Terraform |
LambdaCodeSigningConfigured.py |
685 |
CKV_AWS_273 |
resource |
aws_iam_user |
Ensure access is controlled through SSO and not AWS IAM defined users |
Terraform |
IAMUserNotUsedForAccess.py |
686 |
CKV_AWS_274 |
resource |
aws_iam_group_policy_attachment |
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy |
Terraform |
IAMManagedAdminPolicy.py |
687 |
CKV_AWS_274 |
resource |
aws_iam_policy_attachment |
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy |
Terraform |
IAMManagedAdminPolicy.py |
688 |
CKV_AWS_274 |
resource |
aws_iam_role |
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy |
Terraform |
IAMManagedAdminPolicy.py |
689 |
CKV_AWS_274 |
resource |
aws_iam_role_policy_attachment |
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy |
Terraform |
IAMManagedAdminPolicy.py |
690 |
CKV_AWS_274 |
resource |
aws_iam_user_policy_attachment |
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy |
Terraform |
IAMManagedAdminPolicy.py |
691 |
CKV_AWS_274 |
resource |
aws_ssoadmin_managed_policy_attachment |
Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy |
Terraform |
IAMManagedAdminPolicy.py |
692 |
CKV_AWS_275 |
data |
aws_iam_policy |
Disallow policies from using the AWS AdministratorAccess policy |
Terraform |
IAMManagedAdminPolicy.py |
693 |
CKV_AWS_276 |
resource |
aws_api_gateway_method_settings |
Ensure Data Trace is not enabled in API Gateway Method Settings |
Terraform |
APIGatewayMethodSettingsDataTrace.py |
694 |
CKV_AWS_277 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 |
Terraform |
SecurityGroupUnrestrictedIngressAny.py |
695 |
CKV_AWS_277 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 |
Terraform |
SecurityGroupUnrestrictedIngressAny.py |
696 |
CKV_AWS_277 |
resource |
aws_vpc_security_group_ingress_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 |
Terraform |
SecurityGroupUnrestrictedIngressAny.py |
697 |
CKV_AWS_278 |
resource |
aws_memorydb_snapshot |
Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
MemoryDBSnapshotEncryptionWithCMK.py |
698 |
CKV_AWS_279 |
resource |
aws_neptune_cluster_snapshot |
Ensure Neptune snapshot is securely encrypted |
Terraform |
NeptuneClusterSnapshotEncrypted.py |
699 |
CKV_AWS_280 |
resource |
aws_neptune_cluster_snapshot |
Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
NeptuneClusterSnapshotEncryptedWithCMK.py |
700 |
CKV_AWS_281 |
resource |
aws_redshift_snapshot_copy_grant |
Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py |
701 |
CKV_AWS_282 |
resource |
aws_redshiftserverless_namespace |
Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK) |
Terraform |
RedshiftServerlessNamespaceKMSKey.py |
702 |
CKV_AWS_283 |
data |
aws_iam_policy_document |
Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource |
Terraform |
IAMPublicActionsPolicy.py |
703 |
CKV_AWS_284 |
resource |
aws_sfn_state_machine |
Ensure State Machine has X-Ray tracing enabled |
Terraform |
StateMachineXray.py |
704 |
CKV_AWS_285 |
resource |
aws_sfn_state_machine |
Ensure State Machine has execution history logging enabled |
Terraform |
StateMachineLoggingExecutionHistory.py |
705 |
CKV_AWS_286 |
resource |
aws_iam_group_policy |
Ensure IAM policies does not allow privilege escalation |
Terraform |
IAMPrivilegeEscalation.py |
706 |
CKV_AWS_286 |
resource |
aws_iam_policy |
Ensure IAM policies does not allow privilege escalation |
Terraform |
IAMPrivilegeEscalation.py |
707 |
CKV_AWS_286 |
resource |
aws_iam_role_policy |
Ensure IAM policies does not allow privilege escalation |
Terraform |
IAMPrivilegeEscalation.py |
708 |
CKV_AWS_286 |
resource |
aws_iam_user_policy |
Ensure IAM policies does not allow privilege escalation |
Terraform |
IAMPrivilegeEscalation.py |
709 |
CKV_AWS_286 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure IAM policies does not allow privilege escalation |
Terraform |
IAMPrivilegeEscalation.py |
710 |
CKV_AWS_287 |
resource |
aws_iam_group_policy |
Ensure IAM policies does not allow credentials exposure |
Terraform |
IAMCredentialsExposure.py |
711 |
CKV_AWS_287 |
resource |
aws_iam_policy |
Ensure IAM policies does not allow credentials exposure |
Terraform |
IAMCredentialsExposure.py |
712 |
CKV_AWS_287 |
resource |
aws_iam_role_policy |
Ensure IAM policies does not allow credentials exposure |
Terraform |
IAMCredentialsExposure.py |
713 |
CKV_AWS_287 |
resource |
aws_iam_user_policy |
Ensure IAM policies does not allow credentials exposure |
Terraform |
IAMCredentialsExposure.py |
714 |
CKV_AWS_287 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure IAM policies does not allow credentials exposure |
Terraform |
IAMCredentialsExposure.py |
715 |
CKV_AWS_288 |
resource |
aws_iam_group_policy |
Ensure IAM policies does not allow data exfiltration |
Terraform |
IAMDataExfiltration.py |
716 |
CKV_AWS_288 |
resource |
aws_iam_policy |
Ensure IAM policies does not allow data exfiltration |
Terraform |
IAMDataExfiltration.py |
717 |
CKV_AWS_288 |
resource |
aws_iam_role_policy |
Ensure IAM policies does not allow data exfiltration |
Terraform |
IAMDataExfiltration.py |
718 |
CKV_AWS_288 |
resource |
aws_iam_user_policy |
Ensure IAM policies does not allow data exfiltration |
Terraform |
IAMDataExfiltration.py |
719 |
CKV_AWS_288 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure IAM policies does not allow data exfiltration |
Terraform |
IAMDataExfiltration.py |
720 |
CKV_AWS_289 |
resource |
aws_iam_group_policy |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
IAMPermissionsManagement.py |
721 |
CKV_AWS_289 |
resource |
aws_iam_policy |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
IAMPermissionsManagement.py |
722 |
CKV_AWS_289 |
resource |
aws_iam_role_policy |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
IAMPermissionsManagement.py |
723 |
CKV_AWS_289 |
resource |
aws_iam_user_policy |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
IAMPermissionsManagement.py |
724 |
CKV_AWS_289 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
IAMPermissionsManagement.py |
725 |
CKV_AWS_290 |
resource |
aws_iam_group_policy |
Ensure IAM policies does not allow write access without constraints |
Terraform |
IAMWriteAccess.py |
726 |
CKV_AWS_290 |
resource |
aws_iam_policy |
Ensure IAM policies does not allow write access without constraints |
Terraform |
IAMWriteAccess.py |
727 |
CKV_AWS_290 |
resource |
aws_iam_role_policy |
Ensure IAM policies does not allow write access without constraints |
Terraform |
IAMWriteAccess.py |
728 |
CKV_AWS_290 |
resource |
aws_iam_user_policy |
Ensure IAM policies does not allow write access without constraints |
Terraform |
IAMWriteAccess.py |
729 |
CKV_AWS_290 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure IAM policies does not allow write access without constraints |
Terraform |
IAMWriteAccess.py |
730 |
CKV_AWS_291 |
resource |
AWS::MSK::Cluster |
Ensure MSK nodes are private |
Cloudformation |
MSKClusterNodesArePrivate.py |
731 |
CKV_AWS_291 |
resource |
aws_msk_cluster |
Ensure MSK nodes are private |
Terraform |
MSKClusterNodesArePrivate.py |
732 |
CKV_AWS_292 |
resource |
aws_docdb_global_cluster |
Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted) |
Terraform |
DocDBGlobalClusterEncryption.py |
733 |
CKV_AWS_293 |
resource |
aws_db_instance |
Ensure that AWS database instances have deletion protection enabled |
Terraform |
RDSInstanceDeletionProtection.py |
734 |
CKV_AWS_294 |
resource |
aws_cloudtrail_event_data_store |
Ensure CloudTrail Event Data Store uses CMK |
Terraform |
CloudtrailEventDataStoreUsesCMK.py |
735 |
CKV_AWS_295 |
resource |
aws_datasync_location_object_storage |
Ensure DataSync Location Object Storage doesn’t expose secrets |
Terraform |
DatasyncLocationExposesSecrets.py |
736 |
CKV_AWS_296 |
resource |
aws_dms_endpoint |
Ensure DMS endpoint uses Customer Managed Key (CMK) |
Terraform |
DMSEndpointUsesCMK.py |
737 |
CKV_AWS_297 |
resource |
aws_scheduler_schedule |
Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK) |
Terraform |
SchedulerScheduleUsesCMK.py |
738 |
CKV_AWS_298 |
resource |
aws_dms_s3_endpoint |
Ensure DMS S3 uses Customer Managed Key (CMK) |
Terraform |
DMSS3UsesCMK.py |
739 |
CKV_AWS_300 |
resource |
aws_s3_bucket_lifecycle_configuration |
Ensure S3 lifecycle configuration sets period for aborting failed uploads |
Terraform |
S3AbortIncompleteUploads.py |
740 |
CKV_AWS_301 |
resource |
aws_lambda_permission |
Ensure that AWS Lambda function is not publicly accessible |
Terraform |
LambdaFunctionIsNotPublic.py |
741 |
CKV_AWS_302 |
resource |
aws_db_snapshot |
Ensure DB Snapshots are not Public |
Terraform |
DBSnapshotsArePrivate.py |
742 |
CKV_AWS_303 |
resource |
aws_ssm_document |
Ensure SSM documents are not Public |
Terraform |
SSMDocumentsArePrivate.py |
743 |
CKV_AWS_304 |
resource |
aws_secretsmanager_secret_rotation |
Ensure Secrets Manager secrets should be rotated within 90 days |
Terraform |
SecretManagerSecret90days.py |
744 |
CKV_AWS_305 |
resource |
aws_cloudfront_distribution |
Ensure CloudFront distribution has a default root object configured |
Terraform |
CloudfrontDistributionDefaultRoot.py |
745 |
CKV_AWS_306 |
resource |
aws_sagemaker_notebook_instance |
Ensure SageMaker notebook instances should be launched into a custom VPC |
Terraform |
SagemakerNotebookInCustomVPC.py |
746 |
CKV_AWS_307 |
resource |
aws_sagemaker_notebook_instance |
Ensure SageMaker Users should not have root access to SageMaker notebook instances |
Terraform |
SagemakerNotebookRoot.py |
747 |
CKV_AWS_308 |
resource |
aws_api_gateway_method_settings |
Ensure API Gateway method setting caching is set to encrypted |
Terraform |
APIGatewayMethodSettingsCacheEncrypted.py |
748 |
CKV_AWS_309 |
resource |
aws_apigatewayv2_route |
Ensure API GatewayV2 routes specify an authorization type |
Terraform |
APIGatewayV2RouteDefinesAuthorizationType.py |
749 |
CKV_AWS_310 |
resource |
aws_cloudfront_distribution |
Ensure CloudFront distributions should have origin failover configured |
Terraform |
CloudfrontDistributionOriginFailover.py |
750 |
CKV_AWS_311 |
resource |
aws_codebuild_project |
Ensure that CodeBuild S3 logs are encrypted |
Terraform |
CodebuildS3LogsEncrypted.py |
751 |
CKV_AWS_312 |
resource |
aws_elastic_beanstalk_environment |
Ensure Elastic Beanstalk environments have enhanced health reporting enabled |
Terraform |
ElasticBeanstalkUseEnhancedHealthChecks.py |
752 |
CKV_AWS_313 |
resource |
aws_rds_cluster |
Ensure RDS cluster configured to copy tags to snapshots |
Terraform |
RDSClusterCopyTags.py |
753 |
CKV_AWS_314 |
resource |
aws_codebuild_project |
Ensure CodeBuild project environments have a logging configuration |
Terraform |
CodebuildHasLogs.py |
754 |
CKV_AWS_315 |
resource |
aws_autoscaling_group |
Ensure EC2 Auto Scaling groups use EC2 launch templates |
Terraform |
AutoScalingLaunchTemplate.py |
755 |
CKV_AWS_316 |
resource |
aws_codebuild_project |
Ensure CodeBuild project environments do not have privileged mode enabled |
Terraform |
CodeBuildPrivilegedMode.py |
756 |
CKV_AWS_317 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain Audit Logging is enabled |
Cloudformation |
ElasticsearchDomainAuditLogging.py |
757 |
CKV_AWS_317 |
resource |
AWS::OpenSearchService::Domain |
Ensure Elasticsearch Domain Audit Logging is enabled |
Cloudformation |
ElasticsearchDomainAuditLogging.py |
758 |
CKV_AWS_317 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain Audit Logging is enabled |
Terraform |
ElasticsearchDomainAuditLogging.py |
759 |
CKV_AWS_317 |
resource |
aws_opensearch_domain |
Ensure Elasticsearch Domain Audit Logging is enabled |
Terraform |
ElasticsearchDomainAuditLogging.py |
760 |
CKV_AWS_318 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA |
Terraform |
ElasticsearchDomainHA.py |
761 |
CKV_AWS_318 |
resource |
aws_opensearch_domain |
Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA |
Terraform |
ElasticsearchDomainHA.py |
762 |
CKV_AWS_319 |
resource |
aws_cloudwatch_metric_alarm |
Ensure that CloudWatch alarm actions are enabled |
Terraform |
CloudWatchAlarmsEnabled.py |
763 |
CKV_AWS_320 |
resource |
aws_redshift_cluster |
Ensure Redshift clusters do not use the default database name |
Terraform |
RedshiftClusterDatabaseName.py |
764 |
CKV_AWS_321 |
resource |
aws_redshift_cluster |
Ensure Redshift clusters use enhanced VPC routing |
Terraform |
RedshiftClusterUseEnhancedVPCRouting.py |
765 |
CKV_AWS_322 |
resource |
aws_elasticache_cluster |
Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled |
Terraform |
ElasticCacheAutomaticMinorUpgrades.py |
766 |
CKV_AWS_323 |
resource |
aws_elasticache_cluster |
Ensure ElastiCache clusters do not use the default subnet group |
Terraform |
ElastiCacheHasCustomSubnet.py |
767 |
CKV_AWS_324 |
resource |
aws_rds_cluster |
Ensure that RDS Cluster log capture is enabled |
Terraform |
RDSClusterLogging.py |
768 |
CKV_AWS_325 |
resource |
aws_rds_cluster |
Ensure that RDS Cluster audit logging is enabled for MySQL engine |
Terraform |
RDSClusterAuditLogging.py |
769 |
CKV_AWS_326 |
resource |
aws_rds_cluster |
Ensure that RDS Aurora Clusters have backtracking enabled |
Terraform |
RDSClusterAuroraBacktrack.py |
770 |
CKV_AWS_327 |
resource |
aws_rds_cluster |
Ensure RDS Clusters are encrypted using KMS CMKs |
Terraform |
RDSClusterEncryptedWithCMK.py |
771 |
CKV_AWS_328 |
resource |
aws_alb |
Ensure that ALB is configured with defensive or strictest desync mitigation mode |
Terraform |
ALBDesyncMode.py |
772 |
CKV_AWS_328 |
resource |
aws_elb |
Ensure that ALB is configured with defensive or strictest desync mitigation mode |
Terraform |
ALBDesyncMode.py |
773 |
CKV_AWS_328 |
resource |
aws_lb |
Ensure that ALB is configured with defensive or strictest desync mitigation mode |
Terraform |
ALBDesyncMode.py |
774 |
CKV_AWS_329 |
resource |
aws_efs_access_point |
EFS access points should enforce a root directory |
Terraform |
EFSAccessPointRoot.py |
775 |
CKV_AWS_330 |
resource |
aws_efs_access_point |
EFS access points should enforce a user identity |
Terraform |
EFSAccessUserIdentity.py |
776 |
CKV_AWS_331 |
resource |
aws_ec2_transit_gateway |
Ensure Transit Gateways do not automatically accept VPC attachment requests |
Terraform |
Ec2TransitGatewayAutoAccept.py |
777 |
CKV_AWS_332 |
resource |
aws_ecs_service |
Ensure ECS Fargate services run on the latest Fargate platform version |
Terraform |
ECSServiceFargateLatest.py |
778 |
CKV_AWS_333 |
resource |
aws_ecs_service |
Ensure ECS services do not have public IP addresses assigned to them automatically |
Terraform |
ECSServicePublicIP.py |
779 |
CKV_AWS_334 |
resource |
aws_ecs_task_definition |
Ensure ECS containers should run as non-privileged |
Terraform |
ECSContainerPrivilege.py |
780 |
CKV_AWS_335 |
resource |
aws_ecs_task_definition |
Ensure ECS task definitions should not share the host’s process namespace |
Terraform |
ECSContainerHostProcess.py |
781 |
CKV_AWS_336 |
resource |
aws_ecs_task_definition |
Ensure ECS containers are limited to read-only access to root filesystems |
Terraform |
ECSContainerReadOnlyRoot.py |
782 |
CKV_AWS_337 |
resource |
aws_ssm_parameter |
Ensure SSM parameters are using KMS CMK |
Terraform |
SSMParameterUsesCMK.py |
783 |
CKV_AWS_338 |
resource |
aws_cloudwatch_log_group |
Ensure CloudWatch log groups retains logs for at least 1 year |
Terraform |
CloudWatchLogGroupRetentionYear.py |
784 |
CKV_AWS_339 |
resource |
aws_eks_cluster |
Ensure EKS clusters run on a supported Kubernetes version |
Terraform |
EKSPlatformVersion.py |
785 |
CKV_AWS_340 |
resource |
aws_elastic_beanstalk_environment |
Ensure Elastic Beanstalk managed platform updates are enabled |
Terraform |
ElasticBeanstalkUseManagedUpdates.py |
786 |
CKV_AWS_341 |
resource |
aws_launch_configuration |
Ensure Launch template should not have a metadata response hop limit greater than 1 |
Terraform |
LaunchTemplateMetadataHop.py |
787 |
CKV_AWS_341 |
resource |
aws_launch_template |
Ensure Launch template should not have a metadata response hop limit greater than 1 |
Terraform |
LaunchTemplateMetadataHop.py |
788 |
CKV_AWS_342 |
resource |
aws_waf_rule_group |
Ensure WAF rule has any actions |
Terraform |
WAFRuleHasAnyActions.py |
789 |
CKV_AWS_342 |
resource |
aws_waf_web_acl |
Ensure WAF rule has any actions |
Terraform |
WAFRuleHasAnyActions.py |
790 |
CKV_AWS_342 |
resource |
aws_wafregional_rule_group |
Ensure WAF rule has any actions |
Terraform |
WAFRuleHasAnyActions.py |
791 |
CKV_AWS_342 |
resource |
aws_wafregional_web_acl |
Ensure WAF rule has any actions |
Terraform |
WAFRuleHasAnyActions.py |
792 |
CKV_AWS_342 |
resource |
aws_wafv2_rule_group |
Ensure WAF rule has any actions |
Terraform |
WAFRuleHasAnyActions.py |
793 |
CKV_AWS_342 |
resource |
aws_wafv2_web_acl |
Ensure WAF rule has any actions |
Terraform |
WAFRuleHasAnyActions.py |
794 |
CKV_AWS_343 |
resource |
aws_redshift_cluster |
Ensure Amazon Redshift clusters should have automatic snapshots enabled |
Terraform |
RedshiftClusterAutoSnap.py |
795 |
CKV_AWS_344 |
resource |
aws_networkfirewall_firewall |
Ensure that Network firewalls have deletion protection enabled |
Terraform |
NetworkFirewallDeletionProtection.py |
796 |
CKV_AWS_345 |
resource |
aws_networkfirewall_firewall |
Ensure that Network firewall encryption is via a CMK |
Terraform |
NetworkFirewallUsesCMK.py |
797 |
CKV_AWS_345 |
resource |
aws_networkfirewall_rule_group |
Ensure that Network firewall encryption is via a CMK |
Terraform |
NetworkFirewallUsesCMK.py |
798 |
CKV_AWS_346 |
resource |
aws_networkfirewall_firewall_policy |
Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK) |
Terraform |
NetworkFirewallPolicyDefinesCMK.py |
799 |
CKV_AWS_347 |
resource |
aws_neptune_cluster |
Ensure Neptune is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
NeptuneClusterEncryptedWithCMK.py |
800 |
CKV_AWS_348 |
resource |
aws_iam_access_key |
Ensure IAM root user doesnt have Access keys |
Terraform |
IAMUserRootAccessKeys.py |
801 |
CKV_AWS_349 |
resource |
aws_emr_security_configuration |
Ensure EMR Cluster security configuration encrypts local disks |
Terraform |
EMRClusterConfEncryptsLocalDisk.py |
802 |
CKV_AWS_350 |
resource |
aws_emr_security_configuration |
Ensure EMR Cluster security configuration encrypts EBS disks |
Terraform |
EMRClusterConfEncryptsEBS.py |
803 |
CKV_AWS_351 |
resource |
aws_emr_security_configuration |
Ensure EMR Cluster security configuration encrypts InTransit |
Terraform |
EMRClusterConfEncryptsInTransit.py |
804 |
CKV_AWS_352 |
resource |
aws_network_acl_rule |
Ensure NACL ingress does not allow all Ports |
Terraform |
NetworkACLUnrestricted.py |
805 |
CKV_AWS_353 |
resource |
aws_db_instance |
Ensure that RDS instances have performance insights enabled |
Terraform |
RDSInstancePerformanceInsights.py |
806 |
CKV_AWS_353 |
resource |
aws_rds_cluster_instance |
Ensure that RDS instances have performance insights enabled |
Terraform |
RDSInstancePerformanceInsights.py |
807 |
CKV_AWS_354 |
resource |
aws_db_instance |
Ensure RDS Performance Insights are encrypted using KMS CMKs |
Terraform |
RDSInstancePerfInsightsEncryptionWithCMK.py |
808 |
CKV_AWS_354 |
resource |
aws_rds_cluster_instance |
Ensure RDS Performance Insights are encrypted using KMS CMKs |
Terraform |
RDSInstancePerfInsightsEncryptionWithCMK.py |
809 |
CKV_AWS_355 |
resource |
aws_iam_group_policy |
Ensure no IAM policies documents allow “*” as a statement’s resource for restrictable actions |
Terraform |
IAMStarResourcePolicyDocument.py |
810 |
CKV_AWS_355 |
resource |
aws_iam_policy |
Ensure no IAM policies documents allow “*” as a statement’s resource for restrictable actions |
Terraform |
IAMStarResourcePolicyDocument.py |
811 |
CKV_AWS_355 |
resource |
aws_iam_role_policy |
Ensure no IAM policies documents allow “*” as a statement’s resource for restrictable actions |
Terraform |
IAMStarResourcePolicyDocument.py |
812 |
CKV_AWS_355 |
resource |
aws_iam_user_policy |
Ensure no IAM policies documents allow “*” as a statement’s resource for restrictable actions |
Terraform |
IAMStarResourcePolicyDocument.py |
813 |
CKV_AWS_355 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure no IAM policies documents allow “*” as a statement’s resource for restrictable actions |
Terraform |
IAMStarResourcePolicyDocument.py |
814 |
CKV_AWS_356 |
data |
aws_iam_policy_document |
Ensure no IAM policies documents allow “*” as a statement’s resource for restrictable actions |
Terraform |
ResourcePolicyDocument.py |
815 |
CKV_AWS_357 |
resource |
aws_transfer_server |
Ensure Transfer Server allows only secure protocols |
Terraform |
TransferServerAllowsOnlySecureProtocols.py |
816 |
CKV_AWS_358 |
data |
aws_iam_policy_document |
Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization |
Terraform |
GithubActionsOIDCTrustPolicy.py |
817 |
CKV_AWS_359 |
resource |
aws_neptune_cluster |
Neptune DB clusters should have IAM database authentication enabled |
Terraform |
NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py |
818 |
CKV_AWS_360 |
resource |
AWS::DocDB::DBCluster |
Ensure DocumentDB has an adequate backup retention period |
Cloudformation |
DocDBBackupRetention.py |
819 |
CKV_AWS_360 |
resource |
aws_docdb_cluster |
Ensure DocumentDB has an adequate backup retention period |
Terraform |
DocDBBackupRetention.py |
820 |
CKV_AWS_361 |
resource |
AWS::Neptune::DBCluster |
Ensure that Neptune DB cluster has automated backups enabled with adequate retention |
Cloudformation |
NeptuneClusterBackupRetention.py |
821 |
CKV_AWS_361 |
resource |
aws_neptune_cluster |
Ensure that Neptune DB cluster has automated backups enabled with adequate retention |
Terraform |
NeptuneClusterBackupRetention.py |
822 |
CKV_AWS_362 |
resource |
aws_neptune_cluster |
Neptune DB clusters should be configured to copy tags to snapshots |
Terraform |
NeptuneDBClustersCopyTagsToSnapshots.py |
823 |
CKV_AWS_363 |
resource |
AWS::Lambda::Function |
Ensure Lambda Runtime is not deprecated |
Cloudformation |
DeprecatedLambdaRuntime.py |
824 |
CKV_AWS_363 |
resource |
AWS::Serverless::Function |
Ensure Lambda Runtime is not deprecated |
Cloudformation |
DeprecatedLambdaRuntime.py |
825 |
CKV_AWS_363 |
resource |
aws_lambda_function |
Ensure Lambda Runtime is not deprecated |
Terraform |
DeprecatedLambdaRuntime.py |
826 |
CKV_AWS_364 |
resource |
AWS::Lambda::Permission |
Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount |
Cloudformation |
LambdaServicePermission.py |
827 |
CKV_AWS_364 |
resource |
aws_lambda_permission |
Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount |
Terraform |
LambdaServicePermission.py |
828 |
CKV_AWS_365 |
resource |
aws_ses_configuration_set |
Ensure SES Configuration Set enforces TLS usage |
Terraform |
SesConfigurationSetDefinesTLS.py |
829 |
CKV_AWS_366 |
resource |
AWS::Cognito::IdentityPool |
Ensure AWS Cognito identity pool does not allow unauthenticated guest access |
Cloudformation |
CognitoUnauthenticatedIdentities.py |
830 |
CKV_AWS_366 |
resource |
aws_cognito_identity_pool |
Ensure AWS Cognito identity pool does not allow unauthenticated guest access |
Terraform |
CognitoUnauthenticatedIdentities.py |
831 |
CKV_AWS_367 |
resource |
AWS::SageMaker::DataQualityJobDefinition |
Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts |
Cloudformation |
SagemakerDataQualityJobDefinitionEncryption.py |
832 |
CKV_AWS_367 |
resource |
aws_sagemaker_data_quality_job_definition |
Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts |
Terraform |
SagemakerDataQualityJobDefinitionEncryption.py |
833 |
CKV_AWS_368 |
resource |
AWS::SageMaker::DataQualityJobDefinition |
Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume |
Cloudformation |
SagemakerDataQualityJobDefinitionVolumeEncryption.py |
834 |
CKV_AWS_368 |
resource |
aws_sagemaker_data_quality_job_definition |
Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume |
Terraform |
SagemakerDataQualityJobDefinitionVolumeEncryption.py |
835 |
CKV_AWS_369 |
resource |
AWS::SageMaker::DataQualityJobDefinition |
Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs |
Cloudformation |
SagemakerDataQualityJobDefinitionTrafficEncryption.py |
836 |
CKV_AWS_369 |
resource |
aws_sagemaker_data_quality_job_definition |
Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs |
Terraform |
SagemakerDataQualityJobDefinitionTrafficEncryption.py |
837 |
CKV_AWS_370 |
resource |
AWS::SageMaker::Model |
Ensure Amazon SageMaker model uses network isolation |
Cloudformation |
SagemakerModelWithNetworkIsolation.py |
838 |
CKV_AWS_370 |
resource |
aws_sagemaker_model |
Ensure Amazon SageMaker model uses network isolation |
Terraform |
SagemakerModelWithNetworkIsolation.py |
839 |
CKV_AWS_371 |
resource |
AWS::SageMaker::NotebookInstance |
Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2 |
Cloudformation |
SagemakerNotebookInstanceAllowsIMDSv2.py |
840 |
CKV_AWS_371 |
resource |
aws_sagemaker_notebook_instance |
Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2 |
Terraform |
SagemakerNotebookInstanceAllowsIMDSv2.py |
841 |
CKV_AWS_372 |
resource |
aws_sagemaker_flow_definition |
Ensure Amazon SageMaker Flow Definition uses KMS for output configurations |
Terraform |
SagemakerFlowDefinitionUsesKMS.py |
842 |
CKV_AWS_373 |
resource |
AWS::Bedrock::Agent |
Ensure Bedrock Agent is encrypted with a CMK |
Cloudformation |
BedrockAgentEncrypted.py |
843 |
CKV_AWS_373 |
resource |
aws_bedrockagent_agent |
Ensure Bedrock Agent is encrypted with a CMK |
Terraform |
BedrockAgentEncrypted.py |
844 |
CKV_AWS_374 |
resource |
aws_cloudfront_distribution |
Ensure AWS CloudFront web distribution has geo restriction enabled |
Terraform |
CloudFrontGeoRestrictionDisabled.py |
845 |
CKV_AWS_375 |
resource |
aws_s3_bucket_acl |
Ensure AWS S3 bucket does not have global view ACL permissions enabled |
Terraform |
S3GlobalViewACL.py |
846 |
CKV_AWS_376 |
resource |
aws_elb |
Ensure AWS Elastic Load Balancer listener uses TLS/SSL |
Terraform |
ELBwListenerNotTLSSSL.py |
847 |
CKV_AWS_377 |
resource |
aws_route53domains_registered_domain |
Ensure Route 53 domains have transfer lock protection |
Terraform |
Route53TransferLock.py |
848 |
CKV_AWS_378 |
resource |
aws_alb_listener |
Ensure AWS Load Balancer doesn’t use HTTP protocol |
Terraform |
LBTargetGroup.yaml |
849 |
CKV_AWS_378 |
resource |
aws_alb_target_group |
Ensure AWS Load Balancer doesn’t use HTTP protocol |
Terraform |
LBTargetGroup.yaml |
850 |
CKV_AWS_378 |
resource |
aws_lb_listener |
Ensure AWS Load Balancer doesn’t use HTTP protocol |
Terraform |
LBTargetGroup.yaml |
851 |
CKV_AWS_378 |
resource |
aws_lb_target_group |
Ensure AWS Load Balancer doesn’t use HTTP protocol |
Terraform |
LBTargetGroup.yaml |
852 |
CKV_AWS_379 |
resource |
aws_s3_bucket_acl |
Ensure AWS S3 bucket is configured with secure data transport policy |
Terraform |
S3SecureDataTransport.py |
853 |
CKV_AWS_380 |
resource |
aws_transfer_server |
Ensure AWS Transfer Server uses latest Security Policy |
Terraform |
TransferServerLatestPolicy.py |
854 |
CKV_AWS_381 |
resource |
aws_codegurureviewer_repository_association |
Make sure that aws_codegurureviewer_repository_association has a CMK |
Terraform |
AWSCodeGuruHasCMK.py |
855 |
CKV_AWS_382 |
resource |
aws_security_group |
Ensure no security groups allow egress from 0.0.0.0:0 to port -1 |
Terraform |
SecurityGroupUnrestrictedEgressAny.py |
856 |
CKV_AWS_382 |
resource |
aws_security_group_rule |
Ensure no security groups allow egress from 0.0.0.0:0 to port -1 |
Terraform |
SecurityGroupUnrestrictedEgressAny.py |
857 |
CKV_AWS_382 |
resource |
aws_vpc_security_group_egress_rule |
Ensure no security groups allow egress from 0.0.0.0:0 to port -1 |
Terraform |
SecurityGroupUnrestrictedEgressAny.py |
858 |
CKV_AWS_383 |
resource |
aws_bedrockagent_agent |
Ensure AWS Bedrock agent is associated with Bedrock guardrails |
Terraform |
BedrockGuardrails.py |
859 |
CKV2_AWS_1 |
resource |
aws_network_acl |
Ensure that all NACL are attached to subnets |
Terraform |
SubnetHasACL.yaml |
860 |
CKV2_AWS_1 |
resource |
aws_subnet |
Ensure that all NACL are attached to subnets |
Terraform |
SubnetHasACL.yaml |
861 |
CKV2_AWS_2 |
resource |
aws_ebs_volume |
Ensure that only encrypted EBS volumes are attached to EC2 instances |
Terraform |
EncryptedEBSVolumeOnlyConnectedToEC2s.yaml |
862 |
CKV2_AWS_2 |
resource |
aws_volume_attachment |
Ensure that only encrypted EBS volumes are attached to EC2 instances |
Terraform |
EncryptedEBSVolumeOnlyConnectedToEC2s.yaml |
863 |
CKV2_AWS_3 |
resource |
aws_guardduty_detector |
Ensure GuardDuty is enabled to specific org/region |
Terraform |
GuardDutyIsEnabled.yaml |
864 |
CKV2_AWS_3 |
resource |
aws_guardduty_organization_configuration |
Ensure GuardDuty is enabled to specific org/region |
Terraform |
GuardDutyIsEnabled.yaml |
865 |
CKV2_AWS_4 |
resource |
aws_api_gateway_method_settings |
Ensure API Gateway stage have logging level defined as appropriate |
Terraform |
APIGWLoggingLevelsDefinedProperly.yaml |
866 |
CKV2_AWS_4 |
resource |
aws_api_gateway_stage |
Ensure API Gateway stage have logging level defined as appropriate |
Terraform |
APIGWLoggingLevelsDefinedProperly.yaml |
867 |
CKV2_AWS_5 |
resource |
aws_security_group |
Ensure that Security Groups are attached to another resource |
Terraform |
SGAttachedToResource.yaml |
868 |
CKV2_AWS_6 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has a Public Access block |
Terraform |
S3BucketHasPublicAccessBlock.yaml |
869 |
CKV2_AWS_6 |
resource |
aws_s3_bucket_public_access_block |
Ensure that S3 bucket has a Public Access block |
Terraform |
S3BucketHasPublicAccessBlock.yaml |
870 |
CKV2_AWS_7 |
resource |
aws_emr_cluster |
Ensure that Amazon EMR clusters’ security groups are not open to the world |
Terraform |
AMRClustersNotOpenToInternet.yaml |
871 |
CKV2_AWS_7 |
resource |
aws_security_group |
Ensure that Amazon EMR clusters’ security groups are not open to the world |
Terraform |
AMRClustersNotOpenToInternet.yaml |
872 |
CKV2_AWS_8 |
resource |
aws_rds_cluster |
Ensure that RDS clusters has backup plan of AWS Backup |
Terraform |
RDSClusterHasBackupPlan.yaml |
873 |
CKV2_AWS_9 |
resource |
aws_backup_selection |
Ensure that EBS are added in the backup plans of AWS Backup |
Terraform |
EBSAddedBackup.yaml |
874 |
CKV2_AWS_10 |
resource |
aws_cloudtrail |
Ensure CloudTrail trails are integrated with CloudWatch Logs |
Terraform |
CloudtrailHasCloudwatch.yaml |
875 |
CKV2_AWS_11 |
resource |
aws_vpc |
Ensure VPC flow logging is enabled in all VPCs |
Terraform |
VPCHasFlowLog.yaml |
876 |
CKV2_AWS_12 |
resource |
aws_default_security_group |
Ensure the default security group of every VPC restricts all traffic |
Terraform |
VPCHasRestrictedSG.yaml |
877 |
CKV2_AWS_12 |
resource |
aws_vpc |
Ensure the default security group of every VPC restricts all traffic |
Terraform |
VPCHasRestrictedSG.yaml |
878 |
CKV2_AWS_14 |
resource |
aws_iam_group |
Ensure that IAM groups includes at least one IAM user |
Terraform |
IAMGroupHasAtLeastOneUser.yaml |
879 |
CKV2_AWS_14 |
resource |
aws_iam_group_membership |
Ensure that IAM groups includes at least one IAM user |
Terraform |
IAMGroupHasAtLeastOneUser.yaml |
880 |
CKV2_AWS_15 |
resource |
aws_autoscaling_group |
Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
Terraform |
AutoScallingEnabledELB.yaml |
881 |
CKV2_AWS_15 |
resource |
aws_elb |
Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
Terraform |
AutoScallingEnabledELB.yaml |
882 |
CKV2_AWS_15 |
resource |
aws_lb_target_group |
Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. |
Terraform |
AutoScallingEnabledELB.yaml |
883 |
CKV2_AWS_16 |
resource |
aws_appautoscaling_target |
Ensure that Auto Scaling is enabled on your DynamoDB tables |
Terraform |
AutoScalingEnableOnDynamoDBTables.yaml |
884 |
CKV2_AWS_16 |
resource |
aws_dynamodb_table |
Ensure that Auto Scaling is enabled on your DynamoDB tables |
Terraform |
AutoScalingEnableOnDynamoDBTables.yaml |
885 |
CKV2_AWS_18 |
resource |
aws_backup_selection |
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup |
Terraform |
EFSAddedBackup.yaml |
886 |
CKV2_AWS_19 |
resource |
aws_eip |
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances |
Terraform |
EIPAllocatedToVPCAttachedEC2.yaml |
887 |
CKV2_AWS_19 |
resource |
aws_eip_association |
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances |
Terraform |
EIPAllocatedToVPCAttachedEC2.yaml |
888 |
CKV2_AWS_20 |
resource |
aws_alb |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
ALBRedirectsHTTPToHTTPS.yaml |
889 |
CKV2_AWS_20 |
resource |
aws_alb_listener |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
ALBRedirectsHTTPToHTTPS.yaml |
890 |
CKV2_AWS_20 |
resource |
aws_lb |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
ALBRedirectsHTTPToHTTPS.yaml |
891 |
CKV2_AWS_20 |
resource |
aws_lb_listener |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
ALBRedirectsHTTPToHTTPS.yaml |
892 |
CKV2_AWS_21 |
resource |
aws_iam_group_membership |
Ensure that all IAM users are members of at least one IAM group. |
Terraform |
IAMUsersAreMembersAtLeastOneGroup.yaml |
893 |
CKV2_AWS_22 |
resource |
aws_iam_user |
Ensure an IAM User does not have access to the console |
Terraform |
IAMUserHasNoConsoleAccess.yaml |
894 |
CKV2_AWS_23 |
resource |
aws_route53_record |
Route53 A Record has Attached Resource |
Terraform |
Route53ARecordAttachedResource.yaml |
895 |
CKV2_AWS_27 |
resource |
aws_rds_cluster |
Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled |
Terraform |
PostgresRDSHasQueryLoggingEnabled.yaml |
896 |
CKV2_AWS_27 |
resource |
aws_rds_cluster_parameter_group |
Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled |
Terraform |
PostgresRDSHasQueryLoggingEnabled.yaml |
897 |
CKV2_AWS_28 |
resource |
aws_alb |
Ensure public facing ALB are protected by WAF |
Terraform |
ALBProtectedByWAF.yaml |
898 |
CKV2_AWS_28 |
resource |
aws_lb |
Ensure public facing ALB are protected by WAF |
Terraform |
ALBProtectedByWAF.yaml |
899 |
CKV2_AWS_29 |
resource |
aws_api_gateway_rest_api |
Ensure public API gateway are protected by WAF |
Terraform |
APIProtectedByWAF.yaml |
900 |
CKV2_AWS_29 |
resource |
aws_api_gateway_stage |
Ensure public API gateway are protected by WAF |
Terraform |
APIProtectedByWAF.yaml |
901 |
CKV2_AWS_30 |
resource |
aws_db_instance |
Ensure Postgres RDS as aws_db_instance has Query Logging enabled |
Terraform |
PostgresDBHasQueryLoggingEnabled.yaml |
902 |
CKV2_AWS_30 |
resource |
aws_db_parameter_group |
Ensure Postgres RDS as aws_db_instance has Query Logging enabled |
Terraform |
PostgresDBHasQueryLoggingEnabled.yaml |
903 |
CKV2_AWS_31 |
resource |
aws_wafv2_web_acl |
Ensure WAF2 has a Logging Configuration |
Terraform |
WAF2HasLogs.yaml |
904 |
CKV2_AWS_32 |
resource |
aws_cloudfront_distribution |
Ensure CloudFront distribution has a response headers policy attached |
Terraform |
CloudFrontHasResponseHeadersPolicy.yaml |
905 |
CKV2_AWS_33 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync is protected by WAF |
Cloudformation |
AppSyncProtectedByWAF.yaml |
906 |
CKV2_AWS_33 |
resource |
aws_appsync_graphql_api |
Ensure AppSync is protected by WAF |
Terraform |
AppSyncProtectedByWAF.yaml |
907 |
CKV2_AWS_34 |
resource |
aws_ssm_parameter |
AWS SSM Parameter should be Encrypted |
Terraform |
AWSSSMParameterShouldBeEncrypted.yaml |
908 |
CKV2_AWS_35 |
resource |
aws_route |
AWS NAT Gateways should be utilized for the default route |
Terraform |
AWSNATGatewaysshouldbeutilized.yaml |
909 |
CKV2_AWS_35 |
resource |
aws_route_table |
AWS NAT Gateways should be utilized for the default route |
Terraform |
AWSNATGatewaysshouldbeutilized.yaml |
910 |
CKV2_AWS_36 |
resource |
aws_ssm_parameter |
Ensure terraform is not sending SSM secrets to untrusted domains over HTTP |
Terraform |
HTTPNotSendingPasswords.yaml |
911 |
CKV2_AWS_36 |
resource |
data.http |
Ensure terraform is not sending SSM secrets to untrusted domains over HTTP |
Terraform |
HTTPNotSendingPasswords.yaml |
912 |
CKV2_AWS_37 |
resource |
aws |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
913 |
CKV2_AWS_37 |
resource |
aws_accessanalyzer_analyzer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
914 |
CKV2_AWS_37 |
resource |
aws_acm_certificate |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
915 |
CKV2_AWS_37 |
resource |
aws_acm_certificate_validation |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
916 |
CKV2_AWS_37 |
resource |
aws_acmpca_certificate_authority |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
917 |
CKV2_AWS_37 |
resource |
aws_ami |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
918 |
CKV2_AWS_37 |
resource |
aws_ami_copy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
919 |
CKV2_AWS_37 |
resource |
aws_ami_from_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
920 |
CKV2_AWS_37 |
resource |
aws_ami_launch_permission |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
921 |
CKV2_AWS_37 |
resource |
aws_api_gateway_account |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
922 |
CKV2_AWS_37 |
resource |
aws_api_gateway_api_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
923 |
CKV2_AWS_37 |
resource |
aws_api_gateway_authorizer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
924 |
CKV2_AWS_37 |
resource |
aws_api_gateway_base_path_mapping |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
925 |
CKV2_AWS_37 |
resource |
aws_api_gateway_client_certificate |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
926 |
CKV2_AWS_37 |
resource |
aws_api_gateway_deployment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
927 |
CKV2_AWS_37 |
resource |
aws_api_gateway_documentation_part |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
928 |
CKV2_AWS_37 |
resource |
aws_api_gateway_documentation_version |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
929 |
CKV2_AWS_37 |
resource |
aws_api_gateway_domain_name |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
930 |
CKV2_AWS_37 |
resource |
aws_api_gateway_gateway_response |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
931 |
CKV2_AWS_37 |
resource |
aws_api_gateway_integration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
932 |
CKV2_AWS_37 |
resource |
aws_api_gateway_integration_response |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
933 |
CKV2_AWS_37 |
resource |
aws_api_gateway_method |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
934 |
CKV2_AWS_37 |
resource |
aws_api_gateway_method_response |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
935 |
CKV2_AWS_37 |
resource |
aws_api_gateway_method_settings |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
936 |
CKV2_AWS_37 |
resource |
aws_api_gateway_model |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
937 |
CKV2_AWS_37 |
resource |
aws_api_gateway_request_validator |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
938 |
CKV2_AWS_37 |
resource |
aws_api_gateway_resource |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
939 |
CKV2_AWS_37 |
resource |
aws_api_gateway_rest_api |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
940 |
CKV2_AWS_37 |
resource |
aws_api_gateway_stage |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
941 |
CKV2_AWS_37 |
resource |
aws_api_gateway_usage_plan |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
942 |
CKV2_AWS_37 |
resource |
aws_api_gateway_usage_plan_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
943 |
CKV2_AWS_37 |
resource |
aws_api_gateway_vpc_link |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
944 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_api |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
945 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_api_mapping |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
946 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_authorizer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
947 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_deployment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
948 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_domain_name |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
949 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_integration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
950 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_integration_response |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
951 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_model |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
952 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_route |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
953 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_route_response |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
954 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_stage |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
955 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_vpc_link |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
956 |
CKV2_AWS_37 |
resource |
aws_app_cookie_stickiness_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
957 |
CKV2_AWS_37 |
resource |
aws_appautoscaling_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
958 |
CKV2_AWS_37 |
resource |
aws_appautoscaling_scheduled_action |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
959 |
CKV2_AWS_37 |
resource |
aws_appautoscaling_target |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
960 |
CKV2_AWS_37 |
resource |
aws_appmesh_mesh |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
961 |
CKV2_AWS_37 |
resource |
aws_appmesh_route |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
962 |
CKV2_AWS_37 |
resource |
aws_appmesh_virtual_node |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
963 |
CKV2_AWS_37 |
resource |
aws_appmesh_virtual_router |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
964 |
CKV2_AWS_37 |
resource |
aws_appmesh_virtual_service |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
965 |
CKV2_AWS_37 |
resource |
aws_appsync_api_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
966 |
CKV2_AWS_37 |
resource |
aws_appsync_datasource |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
967 |
CKV2_AWS_37 |
resource |
aws_appsync_function |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
968 |
CKV2_AWS_37 |
resource |
aws_appsync_graphql_api |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
969 |
CKV2_AWS_37 |
resource |
aws_appsync_resolver |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
970 |
CKV2_AWS_37 |
resource |
aws_athena_database |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
971 |
CKV2_AWS_37 |
resource |
aws_athena_named_query |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
972 |
CKV2_AWS_37 |
resource |
aws_athena_workgroup |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
973 |
CKV2_AWS_37 |
resource |
aws_autoscaling_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
974 |
CKV2_AWS_37 |
resource |
aws_autoscaling_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
975 |
CKV2_AWS_37 |
resource |
aws_autoscaling_lifecycle_hook |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
976 |
CKV2_AWS_37 |
resource |
aws_autoscaling_notification |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
977 |
CKV2_AWS_37 |
resource |
aws_autoscaling_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
978 |
CKV2_AWS_37 |
resource |
aws_autoscaling_schedule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
979 |
CKV2_AWS_37 |
resource |
aws_backup_plan |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
980 |
CKV2_AWS_37 |
resource |
aws_backup_selection |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
981 |
CKV2_AWS_37 |
resource |
aws_backup_vault |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
982 |
CKV2_AWS_37 |
resource |
aws_batch_compute_environment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
983 |
CKV2_AWS_37 |
resource |
aws_batch_job_definition |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
984 |
CKV2_AWS_37 |
resource |
aws_batch_job_queue |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
985 |
CKV2_AWS_37 |
resource |
aws_budgets_budget |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
986 |
CKV2_AWS_37 |
resource |
aws_cloud9_environment_ec2 |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
987 |
CKV2_AWS_37 |
resource |
aws_cloudformation_stack |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
988 |
CKV2_AWS_37 |
resource |
aws_cloudformation_stack_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
989 |
CKV2_AWS_37 |
resource |
aws_cloudformation_stack_set_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
990 |
CKV2_AWS_37 |
resource |
aws_cloudfront_distribution |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
991 |
CKV2_AWS_37 |
resource |
aws_cloudfront_origin_access_identity |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
992 |
CKV2_AWS_37 |
resource |
aws_cloudfront_public_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
993 |
CKV2_AWS_37 |
resource |
aws_cloudhsm_v2_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
994 |
CKV2_AWS_37 |
resource |
aws_cloudhsm_v2_hsm |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
995 |
CKV2_AWS_37 |
resource |
aws_cloudtrail |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
996 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_dashboard |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
997 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_event_permission |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
998 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_event_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
999 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_event_target |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1000 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_destination |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1001 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_destination_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1002 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1003 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_metric_filter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1004 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_resource_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1005 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_stream |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1006 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_subscription_filter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1007 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_metric_alarm |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1008 |
CKV2_AWS_37 |
resource |
aws_codebuild_project |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1009 |
CKV2_AWS_37 |
resource |
aws_codebuild_source_credential |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1010 |
CKV2_AWS_37 |
resource |
aws_codebuild_webhook |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1011 |
CKV2_AWS_37 |
resource |
aws_codecommit_repository |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1012 |
CKV2_AWS_37 |
resource |
aws_codecommit_trigger |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1013 |
CKV2_AWS_37 |
resource |
aws_codedeploy_app |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1014 |
CKV2_AWS_37 |
resource |
aws_codedeploy_deployment_config |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1015 |
CKV2_AWS_37 |
resource |
aws_codedeploy_deployment_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1016 |
CKV2_AWS_37 |
resource |
aws_codepipeline |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1017 |
CKV2_AWS_37 |
resource |
aws_codepipeline_webhook |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1018 |
CKV2_AWS_37 |
resource |
aws_codestarnotifications_notification_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1019 |
CKV2_AWS_37 |
resource |
aws_cognito_identity_pool |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1020 |
CKV2_AWS_37 |
resource |
aws_cognito_identity_pool_roles_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1021 |
CKV2_AWS_37 |
resource |
aws_cognito_identity_provider |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1022 |
CKV2_AWS_37 |
resource |
aws_cognito_resource_server |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1023 |
CKV2_AWS_37 |
resource |
aws_cognito_user_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1024 |
CKV2_AWS_37 |
resource |
aws_cognito_user_pool |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1025 |
CKV2_AWS_37 |
resource |
aws_cognito_user_pool_client |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1026 |
CKV2_AWS_37 |
resource |
aws_cognito_user_pool_domain |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1027 |
CKV2_AWS_37 |
resource |
aws_config_aggregate_authorization |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1028 |
CKV2_AWS_37 |
resource |
aws_config_config_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1029 |
CKV2_AWS_37 |
resource |
aws_config_configuration_aggregator |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1030 |
CKV2_AWS_37 |
resource |
aws_config_configuration_recorder |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1031 |
CKV2_AWS_37 |
resource |
aws_config_configuration_recorder_status |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1032 |
CKV2_AWS_37 |
resource |
aws_config_delivery_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1033 |
CKV2_AWS_37 |
resource |
aws_config_organization_custom_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1034 |
CKV2_AWS_37 |
resource |
aws_config_organization_managed_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1035 |
CKV2_AWS_37 |
resource |
aws_cur_report_definition |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1036 |
CKV2_AWS_37 |
resource |
aws_customer_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1037 |
CKV2_AWS_37 |
resource |
aws_datapipeline_pipeline |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1038 |
CKV2_AWS_37 |
resource |
aws_datasync_agent |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1039 |
CKV2_AWS_37 |
resource |
aws_datasync_location_efs |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1040 |
CKV2_AWS_37 |
resource |
aws_datasync_location_nfs |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1041 |
CKV2_AWS_37 |
resource |
aws_datasync_location_s3 |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1042 |
CKV2_AWS_37 |
resource |
aws_datasync_location_smb |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1043 |
CKV2_AWS_37 |
resource |
aws_datasync_task |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1044 |
CKV2_AWS_37 |
resource |
aws_dax_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1045 |
CKV2_AWS_37 |
resource |
aws_dax_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1046 |
CKV2_AWS_37 |
resource |
aws_dax_subnet_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1047 |
CKV2_AWS_37 |
resource |
aws_db_cluster_snapshot |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1048 |
CKV2_AWS_37 |
resource |
aws_db_event_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1049 |
CKV2_AWS_37 |
resource |
aws_db_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1050 |
CKV2_AWS_37 |
resource |
aws_db_instance_role_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1051 |
CKV2_AWS_37 |
resource |
aws_db_option_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1052 |
CKV2_AWS_37 |
resource |
aws_db_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1053 |
CKV2_AWS_37 |
resource |
aws_db_security_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1054 |
CKV2_AWS_37 |
resource |
aws_db_snapshot |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1055 |
CKV2_AWS_37 |
resource |
aws_db_subnet_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1056 |
CKV2_AWS_37 |
resource |
aws_default_network_acl |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1057 |
CKV2_AWS_37 |
resource |
aws_default_route_table |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1058 |
CKV2_AWS_37 |
resource |
aws_default_security_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1059 |
CKV2_AWS_37 |
resource |
aws_default_subnet |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1060 |
CKV2_AWS_37 |
resource |
aws_default_vpc |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1061 |
CKV2_AWS_37 |
resource |
aws_default_vpc_dhcp_options |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1062 |
CKV2_AWS_37 |
resource |
aws_devicefarm_project |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1063 |
CKV2_AWS_37 |
resource |
aws_directory_service_conditional_forwarder |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1064 |
CKV2_AWS_37 |
resource |
aws_directory_service_directory |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1065 |
CKV2_AWS_37 |
resource |
aws_directory_service_log_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1066 |
CKV2_AWS_37 |
resource |
aws_dlm_lifecycle_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1067 |
CKV2_AWS_37 |
resource |
aws_dms_certificate |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1068 |
CKV2_AWS_37 |
resource |
aws_dms_endpoint |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1069 |
CKV2_AWS_37 |
resource |
aws_dms_event_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1070 |
CKV2_AWS_37 |
resource |
aws_dms_replication_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1071 |
CKV2_AWS_37 |
resource |
aws_dms_replication_subnet_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1072 |
CKV2_AWS_37 |
resource |
aws_dms_replication_task |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1073 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1074 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1075 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1076 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster_snapshot |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1077 |
CKV2_AWS_37 |
resource |
aws_docdb_subnet_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1078 |
CKV2_AWS_37 |
resource |
aws_dx_bgp_peer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1079 |
CKV2_AWS_37 |
resource |
aws_dx_connection |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1080 |
CKV2_AWS_37 |
resource |
aws_dx_connection_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1081 |
CKV2_AWS_37 |
resource |
aws_dx_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1082 |
CKV2_AWS_37 |
resource |
aws_dx_gateway_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1083 |
CKV2_AWS_37 |
resource |
aws_dx_gateway_association_proposal |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1084 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_private_virtual_interface |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1085 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_private_virtual_interface_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1086 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_public_virtual_interface |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1087 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_public_virtual_interface_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1088 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_transit_virtual_interface |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1089 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_transit_virtual_interface_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1090 |
CKV2_AWS_37 |
resource |
aws_dx_lag |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1091 |
CKV2_AWS_37 |
resource |
aws_dx_private_virtual_interface |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1092 |
CKV2_AWS_37 |
resource |
aws_dx_public_virtual_interface |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1093 |
CKV2_AWS_37 |
resource |
aws_dx_transit_virtual_interface |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1094 |
CKV2_AWS_37 |
resource |
aws_dynamodb_global_table |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1095 |
CKV2_AWS_37 |
resource |
aws_dynamodb_table |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1096 |
CKV2_AWS_37 |
resource |
aws_dynamodb_table_item |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1097 |
CKV2_AWS_37 |
resource |
aws_ebs_default_kms_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1098 |
CKV2_AWS_37 |
resource |
aws_ebs_encryption_by_default |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1099 |
CKV2_AWS_37 |
resource |
aws_ebs_snapshot |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1100 |
CKV2_AWS_37 |
resource |
aws_ebs_snapshot_copy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1101 |
CKV2_AWS_37 |
resource |
aws_ebs_volume |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1102 |
CKV2_AWS_37 |
resource |
aws_ec2_availability_zone_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1103 |
CKV2_AWS_37 |
resource |
aws_ec2_capacity_reservation |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1104 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_authorization_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1105 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_endpoint |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1106 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_network_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1107 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_route |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1108 |
CKV2_AWS_37 |
resource |
aws_ec2_fleet |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1109 |
CKV2_AWS_37 |
resource |
aws_ec2_local_gateway_route |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1110 |
CKV2_AWS_37 |
resource |
aws_ec2_local_gateway_route_table_vpc_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1111 |
CKV2_AWS_37 |
resource |
aws_ec2_tag |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1112 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_filter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1113 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_filter_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1114 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_session |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1115 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_target |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1116 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1117 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_peering_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1118 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_peering_attachment_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1119 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1120 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route_table |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1121 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route_table_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1122 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route_table_propagation |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1123 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_vpc_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1124 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_vpc_attachment_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1125 |
CKV2_AWS_37 |
resource |
aws_ecr_lifecycle_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1126 |
CKV2_AWS_37 |
resource |
aws_ecr_repository |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1127 |
CKV2_AWS_37 |
resource |
aws_ecr_repository_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1128 |
CKV2_AWS_37 |
resource |
aws_ecs_capacity_provider |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1129 |
CKV2_AWS_37 |
resource |
aws_ecs_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1130 |
CKV2_AWS_37 |
resource |
aws_ecs_service |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1131 |
CKV2_AWS_37 |
resource |
aws_ecs_task_definition |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1132 |
CKV2_AWS_37 |
resource |
aws_efs_access_point |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1133 |
CKV2_AWS_37 |
resource |
aws_efs_file_system |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1134 |
CKV2_AWS_37 |
resource |
aws_efs_file_system_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1135 |
CKV2_AWS_37 |
resource |
aws_efs_mount_target |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1136 |
CKV2_AWS_37 |
resource |
aws_egress_only_internet_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1137 |
CKV2_AWS_37 |
resource |
aws_eip |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1138 |
CKV2_AWS_37 |
resource |
aws_eip_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1139 |
CKV2_AWS_37 |
resource |
aws_eks_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1140 |
CKV2_AWS_37 |
resource |
aws_eks_fargate_profile |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1141 |
CKV2_AWS_37 |
resource |
aws_eks_node_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1142 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_application |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1143 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_application_version |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1144 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_configuration_template |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1145 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_environment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1146 |
CKV2_AWS_37 |
resource |
aws_elasticache_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1147 |
CKV2_AWS_37 |
resource |
aws_elasticache_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1148 |
CKV2_AWS_37 |
resource |
aws_elasticache_replication_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1149 |
CKV2_AWS_37 |
resource |
aws_elasticache_security_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1150 |
CKV2_AWS_37 |
resource |
aws_elasticache_subnet_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1151 |
CKV2_AWS_37 |
resource |
aws_elasticsearch_domain |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1152 |
CKV2_AWS_37 |
resource |
aws_elasticsearch_domain_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1153 |
CKV2_AWS_37 |
resource |
aws_elastictranscoder_pipeline |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1154 |
CKV2_AWS_37 |
resource |
aws_elastictranscoder_preset |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1155 |
CKV2_AWS_37 |
resource |
aws_elb |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1156 |
CKV2_AWS_37 |
resource |
aws_elb_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1157 |
CKV2_AWS_37 |
resource |
aws_emr_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1158 |
CKV2_AWS_37 |
resource |
aws_emr_instance_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1159 |
CKV2_AWS_37 |
resource |
aws_emr_security_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1160 |
CKV2_AWS_37 |
resource |
aws_flow_log |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1161 |
CKV2_AWS_37 |
resource |
aws_fms_admin_account |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1162 |
CKV2_AWS_37 |
resource |
aws_fsx_lustre_file_system |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1163 |
CKV2_AWS_37 |
resource |
aws_fsx_windows_file_system |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1164 |
CKV2_AWS_37 |
resource |
aws_gamelift_alias |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1165 |
CKV2_AWS_37 |
resource |
aws_gamelift_build |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1166 |
CKV2_AWS_37 |
resource |
aws_gamelift_fleet |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1167 |
CKV2_AWS_37 |
resource |
aws_gamelift_game_session_queue |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1168 |
CKV2_AWS_37 |
resource |
aws_glacier_vault |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1169 |
CKV2_AWS_37 |
resource |
aws_glacier_vault_lock |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1170 |
CKV2_AWS_37 |
resource |
aws_globalaccelerator_accelerator |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1171 |
CKV2_AWS_37 |
resource |
aws_globalaccelerator_endpoint_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1172 |
CKV2_AWS_37 |
resource |
aws_globalaccelerator_listener |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1173 |
CKV2_AWS_37 |
resource |
aws_glue_catalog_database |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1174 |
CKV2_AWS_37 |
resource |
aws_glue_catalog_table |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1175 |
CKV2_AWS_37 |
resource |
aws_glue_classifier |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1176 |
CKV2_AWS_37 |
resource |
aws_glue_connection |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1177 |
CKV2_AWS_37 |
resource |
aws_glue_crawler |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1178 |
CKV2_AWS_37 |
resource |
aws_glue_job |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1179 |
CKV2_AWS_37 |
resource |
aws_glue_security_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1180 |
CKV2_AWS_37 |
resource |
aws_glue_trigger |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1181 |
CKV2_AWS_37 |
resource |
aws_glue_workflow |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1182 |
CKV2_AWS_37 |
resource |
aws_guardduty_detector |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1183 |
CKV2_AWS_37 |
resource |
aws_guardduty_invite_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1184 |
CKV2_AWS_37 |
resource |
aws_guardduty_ipset |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1185 |
CKV2_AWS_37 |
resource |
aws_guardduty_member |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1186 |
CKV2_AWS_37 |
resource |
aws_guardduty_organization_admin_account |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1187 |
CKV2_AWS_37 |
resource |
aws_guardduty_organization_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1188 |
CKV2_AWS_37 |
resource |
aws_guardduty_threatintelset |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1189 |
CKV2_AWS_37 |
resource |
aws_iam_access_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1190 |
CKV2_AWS_37 |
resource |
aws_iam_account_alias |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1191 |
CKV2_AWS_37 |
resource |
aws_iam_account_password_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1192 |
CKV2_AWS_37 |
resource |
aws_iam_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1193 |
CKV2_AWS_37 |
resource |
aws_iam_group_membership |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1194 |
CKV2_AWS_37 |
resource |
aws_iam_group_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1195 |
CKV2_AWS_37 |
resource |
aws_iam_group_policy_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1196 |
CKV2_AWS_37 |
resource |
aws_iam_instance_profile |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1197 |
CKV2_AWS_37 |
resource |
aws_iam_openid_connect_provider |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1198 |
CKV2_AWS_37 |
resource |
aws_iam_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1199 |
CKV2_AWS_37 |
resource |
aws_iam_policy_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1200 |
CKV2_AWS_37 |
resource |
aws_iam_policy_document |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1201 |
CKV2_AWS_37 |
resource |
aws_iam_role |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1202 |
CKV2_AWS_37 |
resource |
aws_iam_role_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1203 |
CKV2_AWS_37 |
resource |
aws_iam_role_policy_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1204 |
CKV2_AWS_37 |
resource |
aws_iam_saml_provider |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1205 |
CKV2_AWS_37 |
resource |
aws_iam_server_certificate |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1206 |
CKV2_AWS_37 |
resource |
aws_iam_service_linked_role |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1207 |
CKV2_AWS_37 |
resource |
aws_iam_user |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1208 |
CKV2_AWS_37 |
resource |
aws_iam_user_group_membership |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1209 |
CKV2_AWS_37 |
resource |
aws_iam_user_login_profile |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1210 |
CKV2_AWS_37 |
resource |
aws_iam_user_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1211 |
CKV2_AWS_37 |
resource |
aws_iam_user_policy_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1212 |
CKV2_AWS_37 |
resource |
aws_iam_user_ssh_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1213 |
CKV2_AWS_37 |
resource |
aws_inspector_assessment_target |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1214 |
CKV2_AWS_37 |
resource |
aws_inspector_assessment_template |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1215 |
CKV2_AWS_37 |
resource |
aws_inspector_resource_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1216 |
CKV2_AWS_37 |
resource |
aws_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1217 |
CKV2_AWS_37 |
resource |
aws_internet_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1218 |
CKV2_AWS_37 |
resource |
aws_iot_certificate |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1219 |
CKV2_AWS_37 |
resource |
aws_iot_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1220 |
CKV2_AWS_37 |
resource |
aws_iot_policy_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1221 |
CKV2_AWS_37 |
resource |
aws_iot_role_alias |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1222 |
CKV2_AWS_37 |
resource |
aws_iot_thing |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1223 |
CKV2_AWS_37 |
resource |
aws_iot_thing_principal_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1224 |
CKV2_AWS_37 |
resource |
aws_iot_thing_type |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1225 |
CKV2_AWS_37 |
resource |
aws_iot_topic_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1226 |
CKV2_AWS_37 |
resource |
aws_key_pair |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1227 |
CKV2_AWS_37 |
resource |
aws_kinesis_analytics_application |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1228 |
CKV2_AWS_37 |
resource |
aws_kinesis_firehose_delivery_stream |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1229 |
CKV2_AWS_37 |
resource |
aws_kinesis_stream |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1230 |
CKV2_AWS_37 |
resource |
aws_kinesis_video_stream |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1231 |
CKV2_AWS_37 |
resource |
aws_kms_alias |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1232 |
CKV2_AWS_37 |
resource |
aws_kms_ciphertext |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1233 |
CKV2_AWS_37 |
resource |
aws_kms_external_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1234 |
CKV2_AWS_37 |
resource |
aws_kms_grant |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1235 |
CKV2_AWS_37 |
resource |
aws_kms_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1236 |
CKV2_AWS_37 |
resource |
aws_lambda_alias |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1237 |
CKV2_AWS_37 |
resource |
aws_lambda_event_source_mapping |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1238 |
CKV2_AWS_37 |
resource |
aws_lambda_function |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1239 |
CKV2_AWS_37 |
resource |
aws_lambda_function_event_invoke_config |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1240 |
CKV2_AWS_37 |
resource |
aws_lambda_layer_version |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1241 |
CKV2_AWS_37 |
resource |
aws_lambda_permission |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1242 |
CKV2_AWS_37 |
resource |
aws_lambda_provisioned_concurrency_config |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1243 |
CKV2_AWS_37 |
resource |
aws_launch_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1244 |
CKV2_AWS_37 |
resource |
aws_launch_template |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1245 |
CKV2_AWS_37 |
resource |
aws_lb |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1246 |
CKV2_AWS_37 |
resource |
aws_lb_cookie_stickiness_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1247 |
CKV2_AWS_37 |
resource |
aws_lb_listener |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1248 |
CKV2_AWS_37 |
resource |
aws_lb_listener_certificate |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1249 |
CKV2_AWS_37 |
resource |
aws_lb_listener_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1250 |
CKV2_AWS_37 |
resource |
aws_lb_ssl_negotiation_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1251 |
CKV2_AWS_37 |
resource |
aws_lb_target_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1252 |
CKV2_AWS_37 |
resource |
aws_lb_target_group_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1253 |
CKV2_AWS_37 |
resource |
aws_licensemanager_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1254 |
CKV2_AWS_37 |
resource |
aws_licensemanager_license_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1255 |
CKV2_AWS_37 |
resource |
aws_lightsail_domain |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1256 |
CKV2_AWS_37 |
resource |
aws_lightsail_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1257 |
CKV2_AWS_37 |
resource |
aws_lightsail_key_pair |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1258 |
CKV2_AWS_37 |
resource |
aws_lightsail_static_ip |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1259 |
CKV2_AWS_37 |
resource |
aws_lightsail_static_ip_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1260 |
CKV2_AWS_37 |
resource |
aws_load_balancer_backend_server_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1261 |
CKV2_AWS_37 |
resource |
aws_load_balancer_listener_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1262 |
CKV2_AWS_37 |
resource |
aws_load_balancer_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1263 |
CKV2_AWS_37 |
resource |
aws_macie_member_account_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1264 |
CKV2_AWS_37 |
resource |
aws_macie_s3_bucket_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1265 |
CKV2_AWS_37 |
resource |
aws_main_route_table_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1266 |
CKV2_AWS_37 |
resource |
aws_media_convert_queue |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1267 |
CKV2_AWS_37 |
resource |
aws_media_package_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1268 |
CKV2_AWS_37 |
resource |
aws_media_store_container |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1269 |
CKV2_AWS_37 |
resource |
aws_media_store_container_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1270 |
CKV2_AWS_37 |
resource |
aws_mq_broker |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1271 |
CKV2_AWS_37 |
resource |
aws_mq_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1272 |
CKV2_AWS_37 |
resource |
aws_msk_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1273 |
CKV2_AWS_37 |
resource |
aws_msk_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1274 |
CKV2_AWS_37 |
resource |
aws_nat_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1275 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1276 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1277 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1278 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster_snapshot |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1279 |
CKV2_AWS_37 |
resource |
aws_neptune_event_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1280 |
CKV2_AWS_37 |
resource |
aws_neptune_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1281 |
CKV2_AWS_37 |
resource |
aws_neptune_subnet_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1282 |
CKV2_AWS_37 |
resource |
aws_network_acl |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1283 |
CKV2_AWS_37 |
resource |
aws_network_acl_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1284 |
CKV2_AWS_37 |
resource |
aws_network_interface |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1285 |
CKV2_AWS_37 |
resource |
aws_network_interface_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1286 |
CKV2_AWS_37 |
resource |
aws_network_interface_sg_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1287 |
CKV2_AWS_37 |
resource |
aws_opsworks_application |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1288 |
CKV2_AWS_37 |
resource |
aws_opsworks_custom_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1289 |
CKV2_AWS_37 |
resource |
aws_opsworks_ganglia_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1290 |
CKV2_AWS_37 |
resource |
aws_opsworks_haproxy_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1291 |
CKV2_AWS_37 |
resource |
aws_opsworks_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1292 |
CKV2_AWS_37 |
resource |
aws_opsworks_java_app_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1293 |
CKV2_AWS_37 |
resource |
aws_opsworks_memcached_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1294 |
CKV2_AWS_37 |
resource |
aws_opsworks_mysql_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1295 |
CKV2_AWS_37 |
resource |
aws_opsworks_nodejs_app_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1296 |
CKV2_AWS_37 |
resource |
aws_opsworks_permission |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1297 |
CKV2_AWS_37 |
resource |
aws_opsworks_php_app_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1298 |
CKV2_AWS_37 |
resource |
aws_opsworks_rails_app_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1299 |
CKV2_AWS_37 |
resource |
aws_opsworks_rds_db_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1300 |
CKV2_AWS_37 |
resource |
aws_opsworks_stack |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1301 |
CKV2_AWS_37 |
resource |
aws_opsworks_static_web_layer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1302 |
CKV2_AWS_37 |
resource |
aws_opsworks_user_profile |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1303 |
CKV2_AWS_37 |
resource |
aws_organizations_account |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1304 |
CKV2_AWS_37 |
resource |
aws_organizations_organization |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1305 |
CKV2_AWS_37 |
resource |
aws_organizations_organizational_unit |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1306 |
CKV2_AWS_37 |
resource |
aws_organizations_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1307 |
CKV2_AWS_37 |
resource |
aws_organizations_policy_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1308 |
CKV2_AWS_37 |
resource |
aws_pinpoint_adm_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1309 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1310 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_sandbox_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1311 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_voip_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1312 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_voip_sandbox_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1313 |
CKV2_AWS_37 |
resource |
aws_pinpoint_app |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1314 |
CKV2_AWS_37 |
resource |
aws_pinpoint_baidu_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1315 |
CKV2_AWS_37 |
resource |
aws_pinpoint_email_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1316 |
CKV2_AWS_37 |
resource |
aws_pinpoint_event_stream |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1317 |
CKV2_AWS_37 |
resource |
aws_pinpoint_gcm_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1318 |
CKV2_AWS_37 |
resource |
aws_pinpoint_sms_channel |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1319 |
CKV2_AWS_37 |
resource |
aws_placement_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1320 |
CKV2_AWS_37 |
resource |
aws_proxy_protocol_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1321 |
CKV2_AWS_37 |
resource |
aws_qldb_ledger |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1322 |
CKV2_AWS_37 |
resource |
aws_quicksight_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1323 |
CKV2_AWS_37 |
resource |
aws_quicksight_user |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1324 |
CKV2_AWS_37 |
resource |
aws_ram_principal_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1325 |
CKV2_AWS_37 |
resource |
aws_ram_resource_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1326 |
CKV2_AWS_37 |
resource |
aws_ram_resource_share |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1327 |
CKV2_AWS_37 |
resource |
aws_ram_resource_share_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1328 |
CKV2_AWS_37 |
resource |
aws_rds_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1329 |
CKV2_AWS_37 |
resource |
aws_rds_cluster_endpoint |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1330 |
CKV2_AWS_37 |
resource |
aws_rds_cluster_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1331 |
CKV2_AWS_37 |
resource |
aws_rds_cluster_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1332 |
CKV2_AWS_37 |
resource |
aws_rds_global_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1333 |
CKV2_AWS_37 |
resource |
aws_redshift_cluster |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1334 |
CKV2_AWS_37 |
resource |
aws_redshift_event_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1335 |
CKV2_AWS_37 |
resource |
aws_redshift_parameter_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1336 |
CKV2_AWS_37 |
resource |
aws_redshift_security_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1337 |
CKV2_AWS_37 |
resource |
aws_redshift_snapshot_copy_grant |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1338 |
CKV2_AWS_37 |
resource |
aws_redshift_snapshot_schedule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1339 |
CKV2_AWS_37 |
resource |
aws_redshift_snapshot_schedule_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1340 |
CKV2_AWS_37 |
resource |
aws_redshift_subnet_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1341 |
CKV2_AWS_37 |
resource |
aws_resourcegroups_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1342 |
CKV2_AWS_37 |
resource |
aws_root |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1343 |
CKV2_AWS_37 |
resource |
aws_root_access_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1344 |
CKV2_AWS_37 |
resource |
aws_route |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1345 |
CKV2_AWS_37 |
resource |
aws_route53_delegation_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1346 |
CKV2_AWS_37 |
resource |
aws_route53_health_check |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1347 |
CKV2_AWS_37 |
resource |
aws_route53_query_log |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1348 |
CKV2_AWS_37 |
resource |
aws_route53_record |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1349 |
CKV2_AWS_37 |
resource |
aws_route53_resolver_endpoint |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1350 |
CKV2_AWS_37 |
resource |
aws_route53_resolver_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1351 |
CKV2_AWS_37 |
resource |
aws_route53_resolver_rule_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1352 |
CKV2_AWS_37 |
resource |
aws_route53_vpc_association_authorization |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1353 |
CKV2_AWS_37 |
resource |
aws_route53_zone |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1354 |
CKV2_AWS_37 |
resource |
aws_route53_zone_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1355 |
CKV2_AWS_37 |
resource |
aws_route_table |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1356 |
CKV2_AWS_37 |
resource |
aws_route_table_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1357 |
CKV2_AWS_37 |
resource |
aws_s3_access_point |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1358 |
CKV2_AWS_37 |
resource |
aws_s3_account_public_access_block |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1359 |
CKV2_AWS_37 |
resource |
aws_s3_bucket |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1360 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_analytics_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1361 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_inventory |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1362 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_metric |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1363 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_notification |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1364 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_object |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1365 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1366 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_public_access_block |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1367 |
CKV2_AWS_37 |
resource |
aws_sagemaker_endpoint |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1368 |
CKV2_AWS_37 |
resource |
aws_sagemaker_endpoint_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1369 |
CKV2_AWS_37 |
resource |
aws_sagemaker_model |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1370 |
CKV2_AWS_37 |
resource |
aws_sagemaker_notebook_instance |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1371 |
CKV2_AWS_37 |
resource |
aws_sagemaker_notebook_instance_lifecycle_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1372 |
CKV2_AWS_37 |
resource |
aws_secretsmanager_secret |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1373 |
CKV2_AWS_37 |
resource |
aws_secretsmanager_secret_rotation |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1374 |
CKV2_AWS_37 |
resource |
aws_secretsmanager_secret_version |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1375 |
CKV2_AWS_37 |
resource |
aws_security_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1376 |
CKV2_AWS_37 |
resource |
aws_security_group_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1377 |
CKV2_AWS_37 |
resource |
aws_securityhub_account |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1378 |
CKV2_AWS_37 |
resource |
aws_securityhub_member |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1379 |
CKV2_AWS_37 |
resource |
aws_securityhub_product_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1380 |
CKV2_AWS_37 |
resource |
aws_securityhub_standards_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1381 |
CKV2_AWS_37 |
resource |
aws_service_discovery_http_namespace |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1382 |
CKV2_AWS_37 |
resource |
aws_service_discovery_private_dns_namespace |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1383 |
CKV2_AWS_37 |
resource |
aws_service_discovery_public_dns_namespace |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1384 |
CKV2_AWS_37 |
resource |
aws_service_discovery_service |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1385 |
CKV2_AWS_37 |
resource |
aws_servicecatalog_portfolio |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1386 |
CKV2_AWS_37 |
resource |
aws_servicequotas_service_quota |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1387 |
CKV2_AWS_37 |
resource |
aws_ses_active_receipt_rule_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1388 |
CKV2_AWS_37 |
resource |
aws_ses_configuration_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1389 |
CKV2_AWS_37 |
resource |
aws_ses_domain_dkim |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1390 |
CKV2_AWS_37 |
resource |
aws_ses_domain_identity |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1391 |
CKV2_AWS_37 |
resource |
aws_ses_domain_identity_verification |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1392 |
CKV2_AWS_37 |
resource |
aws_ses_domain_mail_from |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1393 |
CKV2_AWS_37 |
resource |
aws_ses_email_identity |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1394 |
CKV2_AWS_37 |
resource |
aws_ses_event_destination |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1395 |
CKV2_AWS_37 |
resource |
aws_ses_identity_notification_topic |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1396 |
CKV2_AWS_37 |
resource |
aws_ses_identity_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1397 |
CKV2_AWS_37 |
resource |
aws_ses_receipt_filter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1398 |
CKV2_AWS_37 |
resource |
aws_ses_receipt_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1399 |
CKV2_AWS_37 |
resource |
aws_ses_receipt_rule_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1400 |
CKV2_AWS_37 |
resource |
aws_ses_template |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1401 |
CKV2_AWS_37 |
resource |
aws_sfn_activity |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1402 |
CKV2_AWS_37 |
resource |
aws_sfn_state_machine |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1403 |
CKV2_AWS_37 |
resource |
aws_shield_protection |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1404 |
CKV2_AWS_37 |
resource |
aws_simpledb_domain |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1405 |
CKV2_AWS_37 |
resource |
aws_snapshot_create_volume_permission |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1406 |
CKV2_AWS_37 |
resource |
aws_sns_platform_application |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1407 |
CKV2_AWS_37 |
resource |
aws_sns_sms_preferences |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1408 |
CKV2_AWS_37 |
resource |
aws_sns_topic |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1409 |
CKV2_AWS_37 |
resource |
aws_sns_topic_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1410 |
CKV2_AWS_37 |
resource |
aws_sns_topic_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1411 |
CKV2_AWS_37 |
resource |
aws_spot_datafeed_subscription |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1412 |
CKV2_AWS_37 |
resource |
aws_spot_fleet_request |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1413 |
CKV2_AWS_37 |
resource |
aws_spot_instance_request |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1414 |
CKV2_AWS_37 |
resource |
aws_sqs_queue |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1415 |
CKV2_AWS_37 |
resource |
aws_sqs_queue_policy |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1416 |
CKV2_AWS_37 |
resource |
aws_ssm_activation |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1417 |
CKV2_AWS_37 |
resource |
aws_ssm_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1418 |
CKV2_AWS_37 |
resource |
aws_ssm_document |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1419 |
CKV2_AWS_37 |
resource |
aws_ssm_maintenance_window |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1420 |
CKV2_AWS_37 |
resource |
aws_ssm_maintenance_window_target |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1421 |
CKV2_AWS_37 |
resource |
aws_ssm_maintenance_window_task |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1422 |
CKV2_AWS_37 |
resource |
aws_ssm_parameter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1423 |
CKV2_AWS_37 |
resource |
aws_ssm_patch_baseline |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1424 |
CKV2_AWS_37 |
resource |
aws_ssm_patch_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1425 |
CKV2_AWS_37 |
resource |
aws_ssm_resource_data_sync |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1426 |
CKV2_AWS_37 |
resource |
aws_storagegateway_cache |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1427 |
CKV2_AWS_37 |
resource |
aws_storagegateway_cached_iscsi_volume |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1428 |
CKV2_AWS_37 |
resource |
aws_storagegateway_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1429 |
CKV2_AWS_37 |
resource |
aws_storagegateway_nfs_file_share |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1430 |
CKV2_AWS_37 |
resource |
aws_storagegateway_smb_file_share |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1431 |
CKV2_AWS_37 |
resource |
aws_storagegateway_upload_buffer |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1432 |
CKV2_AWS_37 |
resource |
aws_storagegateway_working_storage |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1433 |
CKV2_AWS_37 |
resource |
aws_subnet |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1434 |
CKV2_AWS_37 |
resource |
aws_swf_domain |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1435 |
CKV2_AWS_37 |
resource |
aws_transfer_server |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1436 |
CKV2_AWS_37 |
resource |
aws_transfer_ssh_key |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1437 |
CKV2_AWS_37 |
resource |
aws_transfer_user |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1438 |
CKV2_AWS_37 |
resource |
aws_volume_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1439 |
CKV2_AWS_37 |
resource |
aws_vpc |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1440 |
CKV2_AWS_37 |
resource |
aws_vpc_dhcp_options |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1441 |
CKV2_AWS_37 |
resource |
aws_vpc_dhcp_options_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1442 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1443 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_connection_notification |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1444 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_route_table_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1445 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_service |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1446 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_service_allowed_principal |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1447 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_subnet_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1448 |
CKV2_AWS_37 |
resource |
aws_vpc_ipv4_cidr_block_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1449 |
CKV2_AWS_37 |
resource |
aws_vpc_peering_connection |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1450 |
CKV2_AWS_37 |
resource |
aws_vpc_peering_connection_accepter |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1451 |
CKV2_AWS_37 |
resource |
aws_vpc_peering_connection_options |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1452 |
CKV2_AWS_37 |
resource |
aws_vpn_connection |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1453 |
CKV2_AWS_37 |
resource |
aws_vpn_connection_route |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1454 |
CKV2_AWS_37 |
resource |
aws_vpn_gateway |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1455 |
CKV2_AWS_37 |
resource |
aws_vpn_gateway_attachment |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1456 |
CKV2_AWS_37 |
resource |
aws_vpn_gateway_route_propagation |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1457 |
CKV2_AWS_37 |
resource |
aws_waf_byte_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1458 |
CKV2_AWS_37 |
resource |
aws_waf_geo_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1459 |
CKV2_AWS_37 |
resource |
aws_waf_ipset |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1460 |
CKV2_AWS_37 |
resource |
aws_waf_rate_based_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1461 |
CKV2_AWS_37 |
resource |
aws_waf_regex_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1462 |
CKV2_AWS_37 |
resource |
aws_waf_regex_pattern_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1463 |
CKV2_AWS_37 |
resource |
aws_waf_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1464 |
CKV2_AWS_37 |
resource |
aws_waf_rule_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1465 |
CKV2_AWS_37 |
resource |
aws_waf_size_constraint_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1466 |
CKV2_AWS_37 |
resource |
aws_waf_sql_injection_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1467 |
CKV2_AWS_37 |
resource |
aws_waf_web_acl |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1468 |
CKV2_AWS_37 |
resource |
aws_waf_xss_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1469 |
CKV2_AWS_37 |
resource |
aws_wafregional_byte_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1470 |
CKV2_AWS_37 |
resource |
aws_wafregional_geo_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1471 |
CKV2_AWS_37 |
resource |
aws_wafregional_ipset |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1472 |
CKV2_AWS_37 |
resource |
aws_wafregional_rate_based_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1473 |
CKV2_AWS_37 |
resource |
aws_wafregional_regex_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1474 |
CKV2_AWS_37 |
resource |
aws_wafregional_regex_pattern_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1475 |
CKV2_AWS_37 |
resource |
aws_wafregional_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1476 |
CKV2_AWS_37 |
resource |
aws_wafregional_rule_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1477 |
CKV2_AWS_37 |
resource |
aws_wafregional_size_constraint_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1478 |
CKV2_AWS_37 |
resource |
aws_wafregional_sql_injection_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1479 |
CKV2_AWS_37 |
resource |
aws_wafregional_web_acl |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1480 |
CKV2_AWS_37 |
resource |
aws_wafregional_web_acl_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1481 |
CKV2_AWS_37 |
resource |
aws_wafregional_xss_match_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1482 |
CKV2_AWS_37 |
resource |
aws_wafv2_ip_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1483 |
CKV2_AWS_37 |
resource |
aws_wafv2_regex_pattern_set |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1484 |
CKV2_AWS_37 |
resource |
aws_wafv2_rule_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1485 |
CKV2_AWS_37 |
resource |
aws_wafv2_web_acl |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1486 |
CKV2_AWS_37 |
resource |
aws_wafv2_web_acl_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1487 |
CKV2_AWS_37 |
resource |
aws_wafv2_web_acl_logging_configuration |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1488 |
CKV2_AWS_37 |
resource |
aws_worklink_fleet |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1489 |
CKV2_AWS_37 |
resource |
aws_worklink_website_certificate_authority_association |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1490 |
CKV2_AWS_37 |
resource |
aws_workspaces_directory |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1491 |
CKV2_AWS_37 |
resource |
aws_workspaces_ip_group |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1492 |
CKV2_AWS_37 |
resource |
aws_workspaces_workspace |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1493 |
CKV2_AWS_37 |
resource |
aws_xray_sampling_rule |
Ensure CodeCommit associates an approval rule |
Terraform |
CodecommitApprovalRulesAttached.yaml |
1494 |
CKV2_AWS_38 |
resource |
aws_route53_zone |
Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones |
Terraform |
Route53ZoneEnableDNSSECSigning.yaml |
1495 |
CKV2_AWS_39 |
resource |
aws_route53_zone |
Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones |
Terraform |
Route53ZoneHasMatchingQueryLog.yaml |
1496 |
CKV2_AWS_40 |
resource |
aws_iam_group_policy |
Ensure AWS IAM policy does not allow full IAM privileges |
Terraform |
IAMPolicyNotAllowFullIAMAccess.yaml |
1497 |
CKV2_AWS_40 |
resource |
aws_iam_policy |
Ensure AWS IAM policy does not allow full IAM privileges |
Terraform |
IAMPolicyNotAllowFullIAMAccess.yaml |
1498 |
CKV2_AWS_40 |
resource |
aws_iam_role_policy |
Ensure AWS IAM policy does not allow full IAM privileges |
Terraform |
IAMPolicyNotAllowFullIAMAccess.yaml |
1499 |
CKV2_AWS_40 |
resource |
aws_iam_user_policy |
Ensure AWS IAM policy does not allow full IAM privileges |
Terraform |
IAMPolicyNotAllowFullIAMAccess.yaml |
1500 |
CKV2_AWS_40 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure AWS IAM policy does not allow full IAM privileges |
Terraform |
IAMPolicyNotAllowFullIAMAccess.yaml |
1501 |
CKV2_AWS_40 |
resource |
data.aws_iam_policy_document |
Ensure AWS IAM policy does not allow full IAM privileges |
Terraform |
IAMPolicyNotAllowFullIAMAccess.yaml |
1502 |
CKV2_AWS_41 |
resource |
aws_instance |
Ensure an IAM role is attached to EC2 instance |
Terraform |
EC2InstanceHasIAMRoleAttached.yaml |
1503 |
CKV2_AWS_42 |
resource |
aws_cloudfront_distribution |
Ensure AWS CloudFront distribution uses custom SSL certificate |
Terraform |
CloudFrontHasCustomSSLCertificate.yaml |
1504 |
CKV2_AWS_43 |
resource |
aws_s3_bucket_acl |
Ensure S3 Bucket does not allow access to all Authenticated users |
Terraform |
S3NotAllowAccessToAllAuthenticatedUsers.yaml |
1505 |
CKV2_AWS_44 |
resource |
aws_route |
Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic |
Terraform |
VPCPeeringRouteTableOverlyPermissive.yaml |
1506 |
CKV2_AWS_44 |
resource |
aws_route_table |
Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic |
Terraform |
VPCPeeringRouteTableOverlyPermissive.yaml |
1507 |
CKV2_AWS_45 |
resource |
aws_config_configuration_recorder |
Ensure AWS Config recorder is enabled to record all supported resources |
Terraform |
AWSConfigRecorderEnabled.yaml |
1508 |
CKV2_AWS_45 |
resource |
aws_config_configuration_recorder_status |
Ensure AWS Config recorder is enabled to record all supported resources |
Terraform |
AWSConfigRecorderEnabled.yaml |
1509 |
CKV2_AWS_46 |
resource |
aws_cloudfront_distribution |
Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled |
Terraform |
CLoudFrontS3OriginConfigWithOAI.yaml |
1510 |
CKV2_AWS_47 |
resource |
aws_cloudfront_distribution |
Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability |
Terraform |
CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml |
1511 |
CKV2_AWS_47 |
resource |
aws_wafv2_web_acl |
Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability |
Terraform |
CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml |
1512 |
CKV2_AWS_48 |
resource |
aws_config_configuration_recorder |
Ensure AWS Config must record all possible resources |
Terraform |
ConfigRecorderRecordsAllGlobalResources.yaml |
1513 |
CKV2_AWS_49 |
resource |
aws_dms_endpoint |
Ensure AWS Database Migration Service endpoints have SSL configured |
Terraform |
DMSEndpointHaveSSLConfigured.yaml |
1514 |
CKV2_AWS_50 |
resource |
aws_elasticache_replication_group |
Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled |
Terraform |
ElastiCacheRedisConfiguredAutomaticFailOver.yaml |
1515 |
CKV2_AWS_51 |
resource |
aws_api_gateway_stage |
Ensure AWS API Gateway endpoints uses client certificate authentication |
Terraform |
APIGatewayEndpointsUsesCertificateForAuthentication.yaml |
1516 |
CKV2_AWS_51 |
resource |
aws_apigatewayv2_api |
Ensure AWS API Gateway endpoints uses client certificate authentication |
Terraform |
APIGatewayEndpointsUsesCertificateForAuthentication.yaml |
1517 |
CKV2_AWS_51 |
resource |
aws_apigatewayv2_stage |
Ensure AWS API Gateway endpoints uses client certificate authentication |
Terraform |
APIGatewayEndpointsUsesCertificateForAuthentication.yaml |
1518 |
CKV2_AWS_52 |
resource |
aws_elasticsearch_domain |
Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled |
Terraform |
OpenSearchDomainHasFineGrainedControl.yaml |
1519 |
CKV2_AWS_52 |
resource |
aws_opensearch_domain |
Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled |
Terraform |
OpenSearchDomainHasFineGrainedControl.yaml |
1520 |
CKV2_AWS_53 |
resource |
aws_api_gateway_method |
Ensure AWS API gateway request is validated |
Terraform |
APIGatewayRequestParameterValidationEnabled.yaml |
1521 |
CKV2_AWS_54 |
resource |
aws_cloudfront_distribution |
Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication |
Terraform |
CloudFrontUsesSecureProtocolsForHTTPS.yaml |
1522 |
CKV2_AWS_55 |
resource |
aws_emr_cluster |
Ensure AWS EMR cluster is configured with security configuration |
Terraform |
EMRClusterHasSecurityConfiguration.yaml |
1523 |
CKV2_AWS_56 |
resource |
aws_iam_group_policy_attachment |
Ensure AWS Managed IAMFullAccess IAM policy is not used. |
Terraform |
IAMManagedIAMFullAccessPolicy.yaml |
1524 |
CKV2_AWS_56 |
resource |
aws_iam_policy_attachment |
Ensure AWS Managed IAMFullAccess IAM policy is not used. |
Terraform |
IAMManagedIAMFullAccessPolicy.yaml |
1525 |
CKV2_AWS_56 |
resource |
aws_iam_role |
Ensure AWS Managed IAMFullAccess IAM policy is not used. |
Terraform |
IAMManagedIAMFullAccessPolicy.yaml |
1526 |
CKV2_AWS_56 |
resource |
aws_iam_role_policy_attachment |
Ensure AWS Managed IAMFullAccess IAM policy is not used. |
Terraform |
IAMManagedIAMFullAccessPolicy.yaml |
1527 |
CKV2_AWS_56 |
resource |
aws_iam_user_policy_attachment |
Ensure AWS Managed IAMFullAccess IAM policy is not used. |
Terraform |
IAMManagedIAMFullAccessPolicy.yaml |
1528 |
CKV2_AWS_56 |
resource |
aws_ssoadmin_managed_policy_attachment |
Ensure AWS Managed IAMFullAccess IAM policy is not used. |
Terraform |
IAMManagedIAMFullAccessPolicy.yaml |
1529 |
CKV2_AWS_56 |
resource |
data.aws_iam_policy |
Ensure AWS Managed IAMFullAccess IAM policy is not used. |
Terraform |
IAMManagedIAMFullAccessPolicy.yaml |
1530 |
CKV2_AWS_57 |
resource |
aws_secretsmanager_secret |
Ensure Secrets Manager secrets should have automatic rotation enabled |
Terraform |
SecretsAreRotated.yaml |
1531 |
CKV2_AWS_58 |
resource |
aws_neptune_cluster |
Ensure AWS Neptune cluster deletion protection is enabled |
Terraform |
NeptuneDeletionProtectionEnabled.yaml |
1532 |
CKV2_AWS_59 |
resource |
aws_elasticsearch_domain |
Ensure ElasticSearch/OpenSearch has dedicated master node enabled |
Terraform |
ElasticSearchDedicatedMasterEnabled.yaml |
1533 |
CKV2_AWS_59 |
resource |
aws_opensearch_domain |
Ensure ElasticSearch/OpenSearch has dedicated master node enabled |
Terraform |
ElasticSearchDedicatedMasterEnabled.yaml |
1534 |
CKV2_AWS_60 |
resource |
aws_db_instance |
Ensure RDS instance with copy tags to snapshots is enabled |
Terraform |
RDSEnableCopyTagsToSnapshot.yaml |
1535 |
CKV2_AWS_61 |
resource |
aws_s3_bucket |
Ensure that an S3 bucket has a lifecycle configuration |
Terraform |
S3BucketLifecycle.yaml |
1536 |
CKV2_AWS_62 |
resource |
aws_s3_bucket |
Ensure S3 buckets should have event notifications enabled |
Terraform |
S3BucketEventNotifications.yaml |
1537 |
CKV2_AWS_63 |
resource |
aws_networkfirewall_firewall |
Ensure Network firewall has logging configuration defined |
Terraform |
NetworkFirewallHasLogging.yaml |
1538 |
CKV2_AWS_64 |
resource |
aws_kms_key |
Ensure KMS key Policy is defined |
Terraform |
KmsKeyPolicyIsDefined.yaml |
1539 |
CKV2_AWS_65 |
resource |
aws_s3_bucket_ownership_controls |
Ensure access control lists for S3 buckets are disabled |
Terraform |
AWSdisableS3ACL.yaml |
1540 |
CKV2_AWS_66 |
resource |
aws_mwaa_environment |
Ensure MWAA environment is not publicly accessible |
Terraform |
AWS_private_MWAA_environment.yaml |
1541 |
CKV2_AWS_68 |
resource |
AWS::IAM::Role |
Ensure SageMaker notebook instance IAM policy is not overly permissive |
Cloudformation |
SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml |
1542 |
CKV2_AWS_68 |
resource |
AWS::SageMaker::NotebookInstance |
Ensure SageMaker notebook instance IAM policy is not overly permissive |
Cloudformation |
SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml |
1543 |
CKV2_AWS_68 |
resource |
aws_iam_role |
Ensure SageMaker notebook instance IAM policy is not overly permissive |
Terraform |
SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml |
1544 |
CKV2_AWS_68 |
resource |
aws_sagemaker_notebook_instance |
Ensure SageMaker notebook instance IAM policy is not overly permissive |
Terraform |
SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml |
1545 |
CKV2_AWS_69 |
resource |
AWS::RDS::DBInstance |
Ensure AWS RDS database instance configured with encryption in transit |
Cloudformation |
RDSEncryptionInTransit.yaml |
1546 |
CKV2_AWS_69 |
resource |
AWS::RDS::DBParameterGroup |
Ensure AWS RDS database instance configured with encryption in transit |
Cloudformation |
RDSEncryptionInTransit.yaml |
1547 |
CKV2_AWS_69 |
resource |
aws_db_instance |
Ensure AWS RDS database instance configured with encryption in transit |
Terraform |
RDSEncryptionInTransit.yaml |
1548 |
CKV2_AWS_69 |
resource |
aws_db_parameter_group |
Ensure AWS RDS database instance configured with encryption in transit |
Terraform |
RDSEncryptionInTransit.yaml |
1549 |
CKV2_AWS_70 |
resource |
aws_api_gateway_method |
Ensure API gateway method has authorization or API key set |
Terraform |
APIGatewayMethodWOAuth.py |
1550 |
CKV2_AWS_71 |
resource |
AWS::CertificateManager::Certificate |
Ensure AWS ACM Certificate domain name does not include wildcards |
Cloudformation |
ACMWildcardDomainName.yaml |
1551 |
CKV2_AWS_71 |
resource |
aws_acm_certificate |
Ensure AWS ACM Certificate domain name does not include wildcards |
Terraform |
ACMWildcardDomainName.yaml |
1552 |
CKV2_AWS_72 |
resource |
AWS::CloudFront::Distribution |
Ensure AWS CloudFront origin protocol policy enforces HTTPS-only |
Cloudformation |
CloudfrontOriginNotHTTPSOnly.yaml |
1553 |
CKV2_AWS_72 |
resource |
aws_cloudfront_distribution |
Ensure AWS CloudFront origin protocol policy enforces HTTPS-only |
Terraform |
CloudfrontOriginNotHTTPSOnly.yaml |
1554 |
CKV2_AWS_73 |
resource |
aws_sqs_queue |
Ensure AWS SQS uses CMK not AWS default keys for encryption |
Terraform |
SQSEncryptionCMK.yaml |
1555 |
CKV_AZURE_1 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
arm |
AzureInstancePassword.py |
1556 |
CKV_AZURE_1 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Bicep |
AzureInstancePassword.py |
1557 |
CKV_AZURE_1 |
resource |
azurerm_linux_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
AzureInstancePassword.py |
1558 |
CKV_AZURE_1 |
resource |
azurerm_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
AzureInstancePassword.py |
1559 |
CKV_AZURE_2 |
resource |
Microsoft.Compute/disks |
Ensure Azure managed disk have encryption enabled |
arm |
AzureManagedDiscEncryption.py |
1560 |
CKV_AZURE_2 |
resource |
Microsoft.Compute/disks |
Ensure Azure managed disk have encryption enabled |
Bicep |
AzureManagedDiscEncryption.py |
1561 |
CKV_AZURE_2 |
resource |
azurerm_managed_disk |
Ensure Azure managed disk has encryption enabled |
Terraform |
AzureManagedDiskEncryption.py |
1562 |
CKV_AZURE_3 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that ‘supportsHttpsTrafficOnly’ is set to ‘true’ |
arm |
StorageAccountsTransportEncryption.py |
1563 |
CKV_AZURE_3 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that ‘supportsHttpsTrafficOnly’ is set to ‘true’ |
Bicep |
StorageAccountsTransportEncryption.py |
1564 |
CKV_AZURE_3 |
resource |
azurerm_storage_account |
Ensure that ‘enable_https_traffic_only’ is enabled |
Terraform |
StorageAccountsTransportEncryption.py |
1565 |
CKV_AZURE_4 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS logging to Azure Monitoring is Configured |
arm |
AKSLoggingEnabled.py |
1566 |
CKV_AZURE_4 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS logging to Azure Monitoring is Configured |
Bicep |
AKSLoggingEnabled.py |
1567 |
CKV_AZURE_4 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS logging to Azure Monitoring is Configured |
Terraform |
AKSLoggingEnabled.py |
1568 |
CKV_AZURE_5 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure RBAC is enabled on AKS clusters |
arm |
AKSRbacEnabled.py |
1569 |
CKV_AZURE_5 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure RBAC is enabled on AKS clusters |
Bicep |
AKSRbacEnabled.py |
1570 |
CKV_AZURE_5 |
resource |
azurerm_kubernetes_cluster |
Ensure RBAC is enabled on AKS clusters |
Terraform |
AKSRbacEnabled.py |
1571 |
CKV_AZURE_6 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS has an API Server Authorized IP Ranges enabled |
arm |
AKSApiServerAuthorizedIpRanges.py |
1572 |
CKV_AZURE_6 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS has an API Server Authorized IP Ranges enabled |
Bicep |
AKSApiServerAuthorizedIpRanges.py |
1573 |
CKV_AZURE_6 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS has an API Server Authorized IP Ranges enabled |
Terraform |
AKSApiServerAuthorizedIpRanges.py |
1574 |
CKV_AZURE_7 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS cluster has Network Policy configured |
arm |
AKSNetworkPolicy.py |
1575 |
CKV_AZURE_7 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS cluster has Network Policy configured |
Bicep |
AKSNetworkPolicy.py |
1576 |
CKV_AZURE_7 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster has Network Policy configured |
Terraform |
AKSNetworkPolicy.py |
1577 |
CKV_AZURE_8 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Kubernetes Dashboard is disabled |
arm |
AKSDashboardDisabled.py |
1578 |
CKV_AZURE_8 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Kubernetes Dashboard is disabled |
Bicep |
AKSDashboardDisabled.py |
1579 |
CKV_AZURE_8 |
resource |
azurerm_kubernetes_cluster |
Ensure Kubernetes Dashboard is disabled |
Terraform |
AKSDashboardDisabled.py |
1580 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that RDP access is restricted from the internet |
arm |
NSGRuleRDPAccessRestricted.py |
1581 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that RDP access is restricted from the internet |
Bicep |
NSGRuleRDPAccessRestricted.py |
1582 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that RDP access is restricted from the internet |
arm |
NSGRuleRDPAccessRestricted.py |
1583 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that RDP access is restricted from the internet |
Bicep |
NSGRuleRDPAccessRestricted.py |
1584 |
CKV_AZURE_9 |
resource |
azurerm_network_security_group |
Ensure that RDP access is restricted from the internet |
Terraform |
NSGRuleRDPAccessRestricted.py |
1585 |
CKV_AZURE_9 |
resource |
azurerm_network_security_rule |
Ensure that RDP access is restricted from the internet |
Terraform |
NSGRuleRDPAccessRestricted.py |
1586 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that SSH access is restricted from the internet |
arm |
NSGRuleSSHAccessRestricted.py |
1587 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that SSH access is restricted from the internet |
Bicep |
NSGRuleSSHAccessRestricted.py |
1588 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that SSH access is restricted from the internet |
arm |
NSGRuleSSHAccessRestricted.py |
1589 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that SSH access is restricted from the internet |
Bicep |
NSGRuleSSHAccessRestricted.py |
1590 |
CKV_AZURE_10 |
resource |
azurerm_network_security_group |
Ensure that SSH access is restricted from the internet |
Terraform |
NSGRuleSSHAccessRestricted.py |
1591 |
CKV_AZURE_10 |
resource |
azurerm_network_security_rule |
Ensure that SSH access is restricted from the internet |
Terraform |
NSGRuleSSHAccessRestricted.py |
1592 |
CKV_AZURE_11 |
resource |
Microsoft.Sql/servers |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
arm |
SQLServerNoPublicAccess.py |
1593 |
CKV_AZURE_11 |
resource |
Microsoft.Sql/servers |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Bicep |
SQLServerNoPublicAccess.py |
1594 |
CKV_AZURE_11 |
resource |
azurerm_mariadb_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
SQLServerNoPublicAccess.py |
1595 |
CKV_AZURE_11 |
resource |
azurerm_mysql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
SQLServerNoPublicAccess.py |
1596 |
CKV_AZURE_11 |
resource |
azurerm_postgresql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
SQLServerNoPublicAccess.py |
1597 |
CKV_AZURE_11 |
resource |
azurerm_sql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
SQLServerNoPublicAccess.py |
1598 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
1599 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Bicep |
NetworkWatcherFlowLogPeriod.py |
1600 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
1601 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Bicep |
NetworkWatcherFlowLogPeriod.py |
1602 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
1603 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Bicep |
NetworkWatcherFlowLogPeriod.py |
1604 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
NetworkWatcherFlowLogPeriod.py |
1605 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Bicep |
NetworkWatcherFlowLogPeriod.py |
1606 |
CKV_AZURE_12 |
resource |
azurerm_network_watcher_flow_log |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Terraform |
NetworkWatcherFlowLogPeriod.py |
1607 |
CKV_AZURE_13 |
resource |
Microsoft.Web/sites/config |
Ensure App Service Authentication is set on Azure App Service |
arm |
AppServiceAuthentication.py |
1608 |
CKV_AZURE_13 |
resource |
Microsoft.Web/sites/config |
Ensure App Service Authentication is set on Azure App Service |
Bicep |
AppServiceAuthentication.py |
1609 |
CKV_AZURE_13 |
resource |
azurerm_app_service |
Ensure App Service Authentication is set on Azure App Service |
Terraform |
AppServiceAuthentication.py |
1610 |
CKV_AZURE_13 |
resource |
azurerm_linux_web_app |
Ensure App Service Authentication is set on Azure App Service |
Terraform |
AppServiceAuthentication.py |
1611 |
CKV_AZURE_13 |
resource |
azurerm_windows_web_app |
Ensure App Service Authentication is set on Azure App Service |
Terraform |
AppServiceAuthentication.py |
1612 |
CKV_AZURE_13 |
resource |
config |
Ensure App Service Authentication is set on Azure App Service |
arm |
AppServiceAuthentication.py |
1613 |
CKV_AZURE_13 |
resource |
config |
Ensure App Service Authentication is set on Azure App Service |
Bicep |
AppServiceAuthentication.py |
1614 |
CKV_AZURE_14 |
resource |
Microsoft.Web/sites |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
arm |
AppServiceHTTPSOnly.py |
1615 |
CKV_AZURE_14 |
resource |
Microsoft.Web/sites |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Bicep |
AppServiceHTTPSOnly.py |
1616 |
CKV_AZURE_14 |
resource |
azurerm_app_service |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Terraform |
AppServiceHTTPSOnly.py |
1617 |
CKV_AZURE_14 |
resource |
azurerm_linux_web_app |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Terraform |
AppServiceHTTPSOnly.py |
1618 |
CKV_AZURE_14 |
resource |
azurerm_windows_web_app |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Terraform |
AppServiceHTTPSOnly.py |
1619 |
CKV_AZURE_15 |
resource |
Microsoft.Web/sites |
Ensure web app is using the latest version of TLS encryption |
arm |
AppServiceMinTLSVersion.py |
1620 |
CKV_AZURE_15 |
resource |
Microsoft.Web/sites |
Ensure web app is using the latest version of TLS encryption |
Bicep |
AppServiceMinTLSVersion.py |
1621 |
CKV_AZURE_15 |
resource |
azurerm_app_service |
Ensure web app is using the latest version of TLS encryption |
Terraform |
AppServiceMinTLSVersion.py |
1622 |
CKV_AZURE_15 |
resource |
azurerm_linux_web_app |
Ensure web app is using the latest version of TLS encryption |
Terraform |
AppServiceMinTLSVersion.py |
1623 |
CKV_AZURE_15 |
resource |
azurerm_windows_web_app |
Ensure web app is using the latest version of TLS encryption |
Terraform |
AppServiceMinTLSVersion.py |
1624 |
CKV_AZURE_16 |
resource |
Microsoft.Web/sites |
Ensure that Register with Azure Active Directory is enabled on App Service |
arm |
AppServiceIdentity.py |
1625 |
CKV_AZURE_16 |
resource |
Microsoft.Web/sites |
Ensure that Register with Azure Active Directory is enabled on App Service |
Bicep |
AppServiceIdentity.py |
1626 |
CKV_AZURE_16 |
resource |
azurerm_app_service |
Ensure that Register with Azure Active Directory is enabled on App Service |
Terraform |
AppServiceIdentity.py |
1627 |
CKV_AZURE_16 |
resource |
azurerm_linux_web_app |
Ensure that Register with Azure Active Directory is enabled on App Service |
Terraform |
AppServiceIdentity.py |
1628 |
CKV_AZURE_16 |
resource |
azurerm_windows_web_app |
Ensure that Register with Azure Active Directory is enabled on App Service |
Terraform |
AppServiceIdentity.py |
1629 |
CKV_AZURE_17 |
resource |
Microsoft.Web/sites |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
arm |
AppServiceClientCertificate.py |
1630 |
CKV_AZURE_17 |
resource |
Microsoft.Web/sites |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
Bicep |
AppServiceClientCertificate.py |
1631 |
CKV_AZURE_17 |
resource |
azurerm_app_service |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
Terraform |
AppServiceClientCertificate.py |
1632 |
CKV_AZURE_17 |
resource |
azurerm_linux_web_app |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
Terraform |
AppServiceClientCertificate.py |
1633 |
CKV_AZURE_17 |
resource |
azurerm_windows_web_app |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
Terraform |
AppServiceClientCertificate.py |
1634 |
CKV_AZURE_18 |
resource |
Microsoft.Web/sites |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
arm |
AppServiceHttps20Enabled.py |
1635 |
CKV_AZURE_18 |
resource |
Microsoft.Web/sites |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
Bicep |
AppServiceHttps20Enabled.py |
1636 |
CKV_AZURE_18 |
resource |
azurerm_app_service |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
Terraform |
AppServiceHttps20Enabled.py |
1637 |
CKV_AZURE_18 |
resource |
azurerm_linux_web_app |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
Terraform |
AppServiceHttps20Enabled.py |
1638 |
CKV_AZURE_18 |
resource |
azurerm_windows_web_app |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
Terraform |
AppServiceHttps20Enabled.py |
1639 |
CKV_AZURE_19 |
resource |
Microsoft.Security/pricings |
Ensure that standard pricing tier is selected |
arm |
SecurityCenterStandardPricing.py |
1640 |
CKV_AZURE_19 |
resource |
Microsoft.Security/pricings |
Ensure that standard pricing tier is selected |
Bicep |
SecurityCenterStandardPricing.py |
1641 |
CKV_AZURE_19 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that standard pricing tier is selected |
Terraform |
SecurityCenterStandardPricing.py |
1642 |
CKV_AZURE_20 |
resource |
Microsoft.Security/securityContacts |
Ensure that security contact ‘Phone number’ is set |
arm |
SecurityCenterContactPhone.py |
1643 |
CKV_AZURE_20 |
resource |
Microsoft.Security/securityContacts |
Ensure that security contact ‘Phone number’ is set |
Bicep |
SecurityCenterContactPhone.py |
1644 |
CKV_AZURE_20 |
resource |
azurerm_security_center_contact |
Ensure that security contact ‘Phone number’ is set |
Terraform |
SecurityCenterContactPhone.py |
1645 |
CKV_AZURE_21 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
SecurityCenterContactEmailAlert.py |
1646 |
CKV_AZURE_21 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Bicep |
SecurityCenterContactEmailAlert.py |
1647 |
CKV_AZURE_21 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
SecurityCenterContactEmailAlert.py |
1648 |
CKV_AZURE_22 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
SecurityCenterContactEmailAlertAdmins.py |
1649 |
CKV_AZURE_22 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Bicep |
SecurityCenterContactEmailAlertAdmins.py |
1650 |
CKV_AZURE_22 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
SecurityCenterContactEmailAlertAdmins.py |
1651 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers |
arm |
SQLServerAuditingEnabled.py |
1652 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Bicep |
SQLServerAuditingEnabled.yaml |
1653 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers/auditingSettings |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Bicep |
SQLServerAuditingEnabled.yaml |
1654 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers |
arm |
SQLServerAuditingEnabled.py |
1655 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Bicep |
SQLServerAuditingEnabled.yaml |
1656 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers/databases/auditingSettings |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Bicep |
SQLServerAuditingEnabled.yaml |
1657 |
CKV_AZURE_23 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
SQLServerAuditingEnabled.yaml |
1658 |
CKV_AZURE_23 |
resource |
azurerm_mssql_server_extended_auditing_policy |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
SQLServerAuditingEnabled.yaml |
1659 |
CKV_AZURE_23 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
SQLServerAuditingEnabled.yaml |
1660 |
CKV_AZURE_24 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
arm |
SQLServerAuditingRetention90Days.py |
1661 |
CKV_AZURE_24 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Bicep |
SQLServerAuditingRetention90Days.yaml |
1662 |
CKV_AZURE_24 |
resource |
Microsoft.Sql/servers/auditingSettings |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Bicep |
SQLServerAuditingRetention90Days.yaml |
1663 |
CKV_AZURE_24 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
SQLServerAuditingRetention90Days.yaml |
1664 |
CKV_AZURE_24 |
resource |
azurerm_mssql_server_extended_auditing_policy |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
SQLServerAuditingRetention90Days.yaml |
1665 |
CKV_AZURE_24 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
SQLServerAuditingRetention90Days.yaml |
1666 |
CKV_AZURE_25 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
arm |
SQLServerThreatDetectionTypes.py |
1667 |
CKV_AZURE_25 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
Bicep |
SQLServerThreatDetectionTypes.py |
1668 |
CKV_AZURE_25 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
Terraform |
SQLServerThreatDetectionTypes.py |
1669 |
CKV_AZURE_26 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
arm |
SQLServerEmailAlertsEnabled.py |
1670 |
CKV_AZURE_26 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
Bicep |
SQLServerEmailAlertsEnabled.py |
1671 |
CKV_AZURE_26 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
Terraform |
SQLServerEmailAlertsEnabled.py |
1672 |
CKV_AZURE_27 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
arm |
SQLServerEmailAlertsToAdminsEnabled.py |
1673 |
CKV_AZURE_27 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
Bicep |
SQLServerEmailAlertsToAdminsEnabled.py |
1674 |
CKV_AZURE_27 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
Terraform |
SQLServerEmailAlertsToAdminsEnabled.py |
1675 |
CKV_AZURE_28 |
resource |
Microsoft.DBforMySQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
arm |
MySQLServerSSLEnforcementEnabled.py |
1676 |
CKV_AZURE_28 |
resource |
Microsoft.DBforMySQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
Bicep |
MySQLServerSSLEnforcementEnabled.py |
1677 |
CKV_AZURE_28 |
resource |
azurerm_mysql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
Terraform |
MySQLServerSSLEnforcementEnabled.py |
1678 |
CKV_AZURE_29 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
arm |
PostgreSQLServerSSLEnforcementEnabled.py |
1679 |
CKV_AZURE_29 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
Bicep |
PostgreSQLServerSSLEnforcementEnabled.py |
1680 |
CKV_AZURE_29 |
resource |
azurerm_postgresql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
Terraform |
PostgreSQLServerSSLEnforcementEnabled.py |
1681 |
CKV_AZURE_30 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogCheckpointsEnabled.py |
1682 |
CKV_AZURE_30 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
Bicep |
PostgreSQLServerLogCheckpointsEnabled.py |
1683 |
CKV_AZURE_30 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
PostgreSQLServerLogCheckpointsEnabled.py |
1684 |
CKV_AZURE_30 |
resource |
configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogCheckpointsEnabled.py |
1685 |
CKV_AZURE_30 |
resource |
configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
Bicep |
PostgreSQLServerLogCheckpointsEnabled.py |
1686 |
CKV_AZURE_31 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogConnectionsEnabled.py |
1687 |
CKV_AZURE_31 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
Bicep |
PostgreSQLServerLogConnectionsEnabled.py |
1688 |
CKV_AZURE_31 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
PostgreSQLServerLogConnectionsEnabled.py |
1689 |
CKV_AZURE_31 |
resource |
configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerLogConnectionsEnabled.py |
1690 |
CKV_AZURE_31 |
resource |
configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
Bicep |
PostgreSQLServerLogConnectionsEnabled.py |
1691 |
CKV_AZURE_32 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerConnectionThrottlingEnabled.py |
1692 |
CKV_AZURE_32 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
Bicep |
PostgreSQLServerConnectionThrottlingEnabled.py |
1693 |
CKV_AZURE_32 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
PostgreSQLServerConnectionThrottlingEnabled.py |
1694 |
CKV_AZURE_32 |
resource |
configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
PostgreSQLServerConnectionThrottlingEnabled.py |
1695 |
CKV_AZURE_32 |
resource |
configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
Bicep |
PostgreSQLServerConnectionThrottlingEnabled.py |
1696 |
CKV_AZURE_33 |
resource |
Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
arm |
StorageAccountLoggingQueueServiceEnabled.py |
1697 |
CKV_AZURE_33 |
resource |
Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
Bicep |
StorageAccountLoggingQueueServiceEnabled.py |
1698 |
CKV_AZURE_33 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
Terraform |
StorageAccountLoggingQueueServiceEnabled.py |
1699 |
CKV_AZURE_34 |
resource |
Microsoft.Storage/storageAccounts/blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
StorageBlobServiceContainerPrivateAccess.py |
1700 |
CKV_AZURE_34 |
resource |
Microsoft.Storage/storageAccounts/blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
Bicep |
StorageBlobServiceContainerPrivateAccess.py |
1701 |
CKV_AZURE_34 |
resource |
azurerm_storage_container |
Ensure that ‘Public access level’ is set to Private for blob containers |
Terraform |
StorageBlobServiceContainerPrivateAccess.py |
1702 |
CKV_AZURE_34 |
resource |
blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
StorageBlobServiceContainerPrivateAccess.py |
1703 |
CKV_AZURE_34 |
resource |
blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
Bicep |
StorageBlobServiceContainerPrivateAccess.py |
1704 |
CKV_AZURE_34 |
resource |
containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
StorageBlobServiceContainerPrivateAccess.py |
1705 |
CKV_AZURE_34 |
resource |
containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
Bicep |
StorageBlobServiceContainerPrivateAccess.py |
1706 |
CKV_AZURE_35 |
resource |
Microsoft.Storage/storageAccounts |
Ensure default network access rule for Storage Accounts is set to deny |
arm |
StorageAccountDefaultNetworkAccessDeny.py |
1707 |
CKV_AZURE_35 |
resource |
Microsoft.Storage/storageAccounts |
Ensure default network access rule for Storage Accounts is set to deny |
Bicep |
StorageAccountDefaultNetworkAccessDeny.py |
1708 |
CKV_AZURE_35 |
resource |
azurerm_storage_account |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
StorageAccountDefaultNetworkAccessDeny.py |
1709 |
CKV_AZURE_35 |
resource |
azurerm_storage_account_network_rules |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
StorageAccountDefaultNetworkAccessDeny.py |
1710 |
CKV_AZURE_36 |
resource |
Microsoft.Storage/storageAccounts |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
arm |
StorageAccountAzureServicesAccessEnabled.py |
1711 |
CKV_AZURE_36 |
resource |
Microsoft.Storage/storageAccounts |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Bicep |
StorageAccountAzureServicesAccessEnabled.py |
1712 |
CKV_AZURE_36 |
resource |
azurerm_storage_account |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
StorageAccountAzureServicesAccessEnabled.py |
1713 |
CKV_AZURE_36 |
resource |
azurerm_storage_account_network_rules |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
StorageAccountAzureServicesAccessEnabled.py |
1714 |
CKV_AZURE_37 |
resource |
Microsoft.Insights/logprofiles |
Ensure that Activity Log Retention is set 365 days or greater |
arm |
MonitorLogProfileRetentionDays.py |
1715 |
CKV_AZURE_37 |
resource |
Microsoft.Insights/logprofiles |
Ensure that Activity Log Retention is set 365 days or greater |
Bicep |
MonitorLogProfileRetentionDays.py |
1716 |
CKV_AZURE_37 |
resource |
azurerm_monitor_log_profile |
Ensure that Activity Log Retention is set 365 days or greater |
Terraform |
MonitorLogProfileRetentionDays.py |
1717 |
CKV_AZURE_38 |
resource |
Microsoft.Insights/logprofiles |
Ensure audit profile captures all the activities |
arm |
MonitorLogProfileCategories.py |
1718 |
CKV_AZURE_38 |
resource |
Microsoft.Insights/logprofiles |
Ensure audit profile captures all the activities |
Bicep |
MonitorLogProfileCategories.py |
1719 |
CKV_AZURE_38 |
resource |
azurerm_monitor_log_profile |
Ensure audit profile captures all the activities |
Terraform |
MonitorLogProfileCategories.py |
1720 |
CKV_AZURE_39 |
resource |
Microsoft.Authorization/roleDefinitions |
Ensure that no custom subscription owner roles are created |
arm |
CustomRoleDefinitionSubscriptionOwner.py |
1721 |
CKV_AZURE_39 |
resource |
Microsoft.Authorization/roleDefinitions |
Ensure that no custom subscription owner roles are created |
Bicep |
CustomRoleDefinitionSubscriptionOwner.py |
1722 |
CKV_AZURE_39 |
resource |
azurerm_role_definition |
Ensure that no custom subscription owner roles are created |
Terraform |
CutsomRoleDefinitionSubscriptionOwner.py |
1723 |
CKV_AZURE_40 |
resource |
Microsoft.KeyVault/vaults/keys |
Ensure that the expiration date is set on all keys |
arm |
KeyExpirationDate.py |
1724 |
CKV_AZURE_40 |
resource |
Microsoft.KeyVault/vaults/keys |
Ensure that the expiration date is set on all keys |
Bicep |
KeyExpirationDate.py |
1725 |
CKV_AZURE_40 |
resource |
azurerm_key_vault_key |
Ensure that the expiration date is set on all keys |
Terraform |
KeyExpirationDate.py |
1726 |
CKV_AZURE_41 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that the expiration date is set on all secrets |
arm |
SecretExpirationDate.py |
1727 |
CKV_AZURE_41 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that the expiration date is set on all secrets |
Bicep |
SecretExpirationDate.py |
1728 |
CKV_AZURE_41 |
resource |
azurerm_key_vault_secret |
Ensure that the expiration date is set on all secrets |
Terraform |
SecretExpirationDate.py |
1729 |
CKV_AZURE_42 |
resource |
Microsoft.KeyVault/vaults |
Ensure the key vault is recoverable |
arm |
KeyvaultRecoveryEnabled.py |
1730 |
CKV_AZURE_42 |
resource |
Microsoft.KeyVault/vaults |
Ensure the key vault is recoverable |
Bicep |
KeyvaultRecoveryEnabled.py |
1731 |
CKV_AZURE_42 |
resource |
azurerm_key_vault |
Ensure the key vault is recoverable |
Terraform |
KeyvaultRecoveryEnabled.py |
1732 |
CKV_AZURE_43 |
resource |
Microsoft.Storage/storageAccounts |
Ensure Storage Accounts adhere to the naming rules |
arm |
StorageAccountName.py |
1733 |
CKV_AZURE_43 |
resource |
Microsoft.Storage/storageAccounts |
Ensure Storage Accounts adhere to the naming rules |
Bicep |
StorageAccountName.py |
1734 |
CKV_AZURE_43 |
resource |
azurerm_storage_account |
Ensure Storage Accounts adhere to the naming rules |
Terraform |
StorageAccountName.py |
1735 |
CKV_AZURE_44 |
resource |
Microsoft.Storage/storageAccounts |
Ensure Storage Account is using the latest version of TLS encryption |
arm |
StorageAccountMinimumTlsVersion.py |
1736 |
CKV_AZURE_44 |
resource |
Microsoft.Storage/storageAccounts |
Ensure Storage Account is using the latest version of TLS encryption |
Bicep |
StorageAccountMinimumTlsVersion.py |
1737 |
CKV_AZURE_44 |
resource |
azurerm_storage_account |
Ensure Storage Account is using the latest version of TLS encryption |
Terraform |
StorageAccountMinimumTlsVersion.py |
1738 |
CKV_AZURE_45 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that no sensitive credentials are exposed in VM custom_data |
arm |
VMCredsInCustomData.py |
1739 |
CKV_AZURE_45 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that no sensitive credentials are exposed in VM custom_data |
Bicep |
VMCredsInCustomData.py |
1740 |
CKV_AZURE_45 |
resource |
azurerm_virtual_machine |
Ensure that no sensitive credentials are exposed in VM custom_data |
Terraform |
VMCredsInCustomData.py |
1741 |
CKV_AZURE_47 |
resource |
Microsoft.DBforMariaDB/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MariaDB servers |
arm |
MariaDBSSLEnforcementEnabled.py |
1742 |
CKV_AZURE_47 |
resource |
Microsoft.DBforMariaDB/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MariaDB servers |
Bicep |
MariaDBSSLEnforcementEnabled.py |
1743 |
CKV_AZURE_47 |
resource |
azurerm_mariadb_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MariaDB servers |
Terraform |
MariaDBSSLEnforcementEnabled.py |
1744 |
CKV_AZURE_48 |
resource |
Microsoft.DBforMariaDB/servers |
Ensure ‘public network access enabled’ is set to ‘False’ for MariaDB servers |
arm |
MariaDBPublicAccessDisabled.py |
1745 |
CKV_AZURE_48 |
resource |
Microsoft.DBforMariaDB/servers |
Ensure ‘public network access enabled’ is set to ‘False’ for MariaDB servers |
Bicep |
MariaDBPublicAccessDisabled.py |
1746 |
CKV_AZURE_48 |
resource |
azurerm_mariadb_server |
Ensure ‘public network access enabled’ is set to ‘False’ for MariaDB servers |
Terraform |
MariaDBPublicAccessDisabled.py |
1747 |
CKV_AZURE_49 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) |
arm |
AzureScaleSetPassword.py |
1748 |
CKV_AZURE_49 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) |
Bicep |
AzureScaleSetPassword.py |
1749 |
CKV_AZURE_49 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) |
Terraform |
AzureScaleSetPassword.py |
1750 |
CKV_AZURE_50 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Virtual Machine Extensions are not Installed |
arm |
AzureInstanceExtensions.py |
1751 |
CKV_AZURE_50 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Virtual Machine Extensions are not Installed |
Bicep |
AzureInstanceExtensions.py |
1752 |
CKV_AZURE_50 |
resource |
azurerm_linux_virtual_machine |
Ensure Virtual Machine Extensions are not Installed |
Terraform |
AzureInstanceExtensions.py |
1753 |
CKV_AZURE_50 |
resource |
azurerm_windows_virtual_machine |
Ensure Virtual Machine Extensions are not Installed |
Terraform |
AzureInstanceExtensions.py |
1754 |
CKV_AZURE_52 |
resource |
Microsoft.Sql/servers |
Ensure MSSQL is using the latest version of TLS encryption |
arm |
MSSQLServerMinTLSVersion.py |
1755 |
CKV_AZURE_52 |
resource |
Microsoft.Sql/servers |
Ensure MSSQL is using the latest version of TLS encryption |
Bicep |
MSSQLServerMinTLSVersion.py |
1756 |
CKV_AZURE_52 |
resource |
azurerm_mssql_server |
Ensure MSSQL is using the latest version of TLS encryption |
Terraform |
MSSQLServerMinTLSVersion.py |
1757 |
CKV_AZURE_53 |
resource |
Microsoft.DBforMySQL/servers |
Ensure ‘public network access enabled’ is set to ‘False’ for mySQL servers |
arm |
MySQLPublicAccessDisabled.py |
1758 |
CKV_AZURE_53 |
resource |
Microsoft.DBforMySQL/servers |
Ensure ‘public network access enabled’ is set to ‘False’ for mySQL servers |
Bicep |
MySQLPublicAccessDisabled.py |
1759 |
CKV_AZURE_53 |
resource |
azurerm_mysql_server |
Ensure ‘public network access enabled’ is set to ‘False’ for mySQL servers |
Terraform |
MySQLPublicAccessDisabled.py |
1760 |
CKV_AZURE_54 |
resource |
Microsoft.DBforMySQL/servers |
Ensure MySQL is using the latest version of TLS encryption |
arm |
MySQLServerMinTLSVersion.py |
1761 |
CKV_AZURE_54 |
resource |
Microsoft.DBforMySQL/servers |
Ensure MySQL is using the latest version of TLS encryption |
Bicep |
MySQLServerMinTLSVersion.py |
1762 |
CKV_AZURE_54 |
resource |
azurerm_mysql_server |
Ensure MySQL is using the latest version of TLS encryption |
Terraform |
MySQLServerMinTLSVersion.py |
1763 |
CKV_AZURE_55 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Servers |
Terraform |
AzureDefenderOnServers.py |
1764 |
CKV_AZURE_56 |
resource |
Microsoft.Web/sites/config |
Ensure that function apps enables Authentication |
arm |
FunctionAppsEnableAuthentication.py |
1765 |
CKV_AZURE_56 |
resource |
Microsoft.Web/sites/config |
Ensure that function apps enables Authentication |
Bicep |
FunctionAppsEnableAuthentication.py |
1766 |
CKV_AZURE_56 |
resource |
azurerm_function_app |
Ensure that function apps enables Authentication |
Terraform |
FunctionAppsEnableAuthentication.py |
1767 |
CKV_AZURE_57 |
resource |
Microsoft.Web/sites |
Ensure that CORS disallows every resource to access app services |
arm |
AppServiceDisallowCORS.py |
1768 |
CKV_AZURE_57 |
resource |
Microsoft.Web/sites |
Ensure that CORS disallows every resource to access app services |
Bicep |
AppServiceDisallowCORS.py |
1769 |
CKV_AZURE_57 |
resource |
azurerm_app_service |
Ensure that CORS disallows every resource to access app services |
Terraform |
AppServiceDisallowCORS.py |
1770 |
CKV_AZURE_57 |
resource |
azurerm_linux_web_app |
Ensure that CORS disallows every resource to access app services |
Terraform |
AppServiceDisallowCORS.py |
1771 |
CKV_AZURE_57 |
resource |
azurerm_windows_web_app |
Ensure that CORS disallows every resource to access app services |
Terraform |
AppServiceDisallowCORS.py |
1772 |
CKV_AZURE_58 |
resource |
Microsoft.Synapse/workspaces |
Ensure that Azure Synapse workspaces enables managed virtual networks |
arm |
SynapseWorkspaceEnablesManagedVirtualNetworks.py |
1773 |
CKV_AZURE_58 |
resource |
Microsoft.Synapse/workspaces |
Ensure that Azure Synapse workspaces enables managed virtual networks |
Bicep |
SynapseWorkspaceEnablesManagedVirtualNetworks.py |
1774 |
CKV_AZURE_58 |
resource |
azurerm_synapse_workspace |
Ensure that Azure Synapse workspaces enables managed virtual networks |
Terraform |
SynapseWorkspaceEnablesManagedVirtualNetworks.py |
1775 |
CKV_AZURE_59 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that Storage accounts disallow public access |
arm |
StorageAccountDisablePublicAccess.py |
1776 |
CKV_AZURE_59 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that Storage accounts disallow public access |
Bicep |
StorageAccountDisablePublicAccess.py |
1777 |
CKV_AZURE_59 |
resource |
azurerm_storage_account |
Ensure that Storage accounts disallow public access |
Terraform |
StorageAccountDisablePublicAccess.py |
1778 |
CKV_AZURE_61 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for App Service |
Terraform |
AzureDefenderOnAppServices.py |
1779 |
CKV_AZURE_62 |
resource |
Microsoft.Web/sites |
Ensure function apps are not accessible from all regions |
arm |
FunctionAppDisallowCORS.py |
1780 |
CKV_AZURE_62 |
resource |
Microsoft.Web/sites |
Ensure function apps are not accessible from all regions |
Bicep |
FunctionAppDisallowCORS.py |
1781 |
CKV_AZURE_62 |
resource |
azurerm_function_app |
Ensure function apps are not accessible from all regions |
Terraform |
FunctionAppDisallowCORS.py |
1782 |
CKV_AZURE_63 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables HTTP logging |
arm |
AppServiceHttpLoggingEnabled.py |
1783 |
CKV_AZURE_63 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables HTTP logging |
Bicep |
AppServiceHttpLoggingEnabled.py |
1784 |
CKV_AZURE_63 |
resource |
azurerm_app_service |
Ensure that App service enables HTTP logging |
Terraform |
AppServiceHttpLoggingEnabled.py |
1785 |
CKV_AZURE_63 |
resource |
azurerm_linux_web_app |
Ensure that App service enables HTTP logging |
Terraform |
AppServiceHttpLoggingEnabled.py |
1786 |
CKV_AZURE_63 |
resource |
azurerm_windows_web_app |
Ensure that App service enables HTTP logging |
Terraform |
AppServiceHttpLoggingEnabled.py |
1787 |
CKV_AZURE_64 |
resource |
Microsoft.StorageSync/storageSyncServices |
Ensure that Azure File Sync disables public network access |
arm |
StorageSyncPublicAccessDisabled.py |
1788 |
CKV_AZURE_64 |
resource |
Microsoft.StorageSync/storageSyncServices |
Ensure that Azure File Sync disables public network access |
Bicep |
StorageSyncPublicAccessDisabled.py |
1789 |
CKV_AZURE_64 |
resource |
azurerm_storage_sync |
Ensure that Azure File Sync disables public network access |
Terraform |
StorageSyncPublicAccessDisabled.py |
1790 |
CKV_AZURE_65 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables detailed error messages |
arm |
AppServiceDetailedErrorMessagesEnabled.py |
1791 |
CKV_AZURE_65 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables detailed error messages |
Bicep |
AppServiceDetailedErrorMessagesEnabled.py |
1792 |
CKV_AZURE_65 |
resource |
azurerm_app_service |
Ensure that App service enables detailed error messages |
Terraform |
AppServiceDetailedErrorMessagesEnabled.py |
1793 |
CKV_AZURE_65 |
resource |
azurerm_linux_web_app |
Ensure that App service enables detailed error messages |
Terraform |
AppServiceDetailedErrorMessagesEnabled.py |
1794 |
CKV_AZURE_65 |
resource |
azurerm_windows_web_app |
Ensure that App service enables detailed error messages |
Terraform |
AppServiceDetailedErrorMessagesEnabled.py |
1795 |
CKV_AZURE_66 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables failed request tracing |
arm |
AppServiceEnableFailedRequest.py |
1796 |
CKV_AZURE_66 |
resource |
Microsoft.Web/sites/config |
Ensure that App service enables failed request tracing |
Bicep |
AppServiceEnableFailedRequest.py |
1797 |
CKV_AZURE_66 |
resource |
azurerm_app_service |
Ensure that App service enables failed request tracing |
Terraform |
AppServiceEnableFailedRequest.py |
1798 |
CKV_AZURE_66 |
resource |
azurerm_linux_web_app |
Ensure that App service enables failed request tracing |
Terraform |
AppServiceEnableFailedRequest.py |
1799 |
CKV_AZURE_66 |
resource |
azurerm_windows_web_app |
Ensure that App service enables failed request tracing |
Terraform |
AppServiceEnableFailedRequest.py |
1800 |
CKV_AZURE_67 |
resource |
Microsoft.Web/sites |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
arm |
FunctionAppHttpVersionLatest.py |
1801 |
CKV_AZURE_67 |
resource |
Microsoft.Web/sites |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
Bicep |
FunctionAppHttpVersionLatest.py |
1802 |
CKV_AZURE_67 |
resource |
Microsoft.Web/sites/slots |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
arm |
FunctionAppHttpVersionLatest.py |
1803 |
CKV_AZURE_67 |
resource |
Microsoft.Web/sites/slots |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
Bicep |
FunctionAppHttpVersionLatest.py |
1804 |
CKV_AZURE_67 |
resource |
azurerm_function_app |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
Terraform |
FunctionAppHttpVersionLatest.py |
1805 |
CKV_AZURE_67 |
resource |
azurerm_function_app_slot |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
Terraform |
FunctionAppHttpVersionLatest.py |
1806 |
CKV_AZURE_68 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure that PostgreSQL server disables public network access |
arm |
PostgreSQLServerPublicAccessDisabled.py |
1807 |
CKV_AZURE_68 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure that PostgreSQL server disables public network access |
Bicep |
PostgreSQLServerPublicAccessDisabled.py |
1808 |
CKV_AZURE_68 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server disables public network access |
Terraform |
PostgreSQLServerPublicAccessDisabled.py |
1809 |
CKV_AZURE_69 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Azure SQL database servers |
Terraform |
AzureDefenderOnSqlServers.py |
1810 |
CKV_AZURE_70 |
resource |
Microsoft.Web/sites |
Ensure that Function apps is only accessible over HTTPS |
arm |
FunctionAppsAccessibleOverHttps.py |
1811 |
CKV_AZURE_70 |
resource |
Microsoft.Web/sites |
Ensure that Function apps is only accessible over HTTPS |
Bicep |
FunctionAppsAccessibleOverHttps.py |
1812 |
CKV_AZURE_70 |
resource |
Microsoft.Web/sites/config |
Ensure that Function apps is only accessible over HTTPS |
arm |
FunctionAppsAccessibleOverHttps.py |
1813 |
CKV_AZURE_70 |
resource |
Microsoft.Web/sites/config |
Ensure that Function apps is only accessible over HTTPS |
Bicep |
FunctionAppsAccessibleOverHttps.py |
1814 |
CKV_AZURE_70 |
resource |
Microsoft.Web/sites/slots |
Ensure that Function apps is only accessible over HTTPS |
arm |
FunctionAppsAccessibleOverHttps.py |
1815 |
CKV_AZURE_70 |
resource |
Microsoft.Web/sites/slots |
Ensure that Function apps is only accessible over HTTPS |
Bicep |
FunctionAppsAccessibleOverHttps.py |
1816 |
CKV_AZURE_70 |
resource |
azurerm_function_app |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
FunctionAppsAccessibleOverHttps.py |
1817 |
CKV_AZURE_70 |
resource |
azurerm_function_app_slot |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
FunctionAppsAccessibleOverHttps.py |
1818 |
CKV_AZURE_70 |
resource |
azurerm_linux_function_app |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
FunctionAppsAccessibleOverHttps.py |
1819 |
CKV_AZURE_70 |
resource |
azurerm_linux_function_app_slot |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
FunctionAppsAccessibleOverHttps.py |
1820 |
CKV_AZURE_70 |
resource |
azurerm_windows_function_app |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
FunctionAppsAccessibleOverHttps.py |
1821 |
CKV_AZURE_70 |
resource |
azurerm_windows_function_app_slot |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
FunctionAppsAccessibleOverHttps.py |
1822 |
CKV_AZURE_71 |
resource |
Microsoft.Web/sites |
Ensure that Managed identity provider is enabled for web apps |
arm |
AppServiceIdentityProviderEnabled.py |
1823 |
CKV_AZURE_71 |
resource |
Microsoft.Web/sites |
Ensure that Managed identity provider is enabled for web apps |
Bicep |
AppServiceIdentityProviderEnabled.py |
1824 |
CKV_AZURE_71 |
resource |
azurerm_app_service |
Ensure that Managed identity provider is enabled for app services |
Terraform |
AppServiceIdentityProviderEnabled.py |
1825 |
CKV_AZURE_71 |
resource |
azurerm_linux_web_app |
Ensure that Managed identity provider is enabled for app services |
Terraform |
AppServiceIdentityProviderEnabled.py |
1826 |
CKV_AZURE_71 |
resource |
azurerm_windows_web_app |
Ensure that Managed identity provider is enabled for app services |
Terraform |
AppServiceIdentityProviderEnabled.py |
1827 |
CKV_AZURE_72 |
resource |
Microsoft.Web/sites |
Ensure that remote debugging is not enabled for app services |
arm |
AppServiceRemoteDebuggingNotEnabled.py |
1828 |
CKV_AZURE_72 |
resource |
Microsoft.Web/sites |
Ensure that remote debugging is not enabled for app services |
Bicep |
AppServiceRemoteDebuggingNotEnabled.py |
1829 |
CKV_AZURE_72 |
resource |
azurerm_app_service |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1830 |
CKV_AZURE_72 |
resource |
azurerm_linux_function_app |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1831 |
CKV_AZURE_72 |
resource |
azurerm_linux_function_app_slot |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1832 |
CKV_AZURE_72 |
resource |
azurerm_linux_web_app |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1833 |
CKV_AZURE_72 |
resource |
azurerm_linux_web_app_slot |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1834 |
CKV_AZURE_72 |
resource |
azurerm_windows_function_app |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1835 |
CKV_AZURE_72 |
resource |
azurerm_windows_function_app_slot |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1836 |
CKV_AZURE_72 |
resource |
azurerm_windows_web_app |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1837 |
CKV_AZURE_72 |
resource |
azurerm_windows_web_app_slot |
Ensure that remote debugging is not enabled for app services |
Terraform |
AppServiceRemoteDebuggingNotEnabled.py |
1838 |
CKV_AZURE_73 |
resource |
Microsoft.Automation/automationAccounts/variables |
Ensure that Automation account variables are encrypted |
arm |
AutomationEncrypted.py |
1839 |
CKV_AZURE_73 |
resource |
Microsoft.Automation/automationAccounts/variables |
Ensure that Automation account variables are encrypted |
Bicep |
AutomationEncrypted.py |
1840 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_bool |
Ensure that Automation account variables are encrypted |
Terraform |
AutomationEncrypted.py |
1841 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_datetime |
Ensure that Automation account variables are encrypted |
Terraform |
AutomationEncrypted.py |
1842 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_int |
Ensure that Automation account variables are encrypted |
Terraform |
AutomationEncrypted.py |
1843 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_string |
Ensure that Automation account variables are encrypted |
Terraform |
AutomationEncrypted.py |
1844 |
CKV_AZURE_74 |
resource |
Microsoft.Kusto/clusters |
Ensure that Azure Data Explorer (Kusto) uses disk encryption |
arm |
DataExplorerUsesDiskEncryption.py |
1845 |
CKV_AZURE_74 |
resource |
Microsoft.Kusto/clusters |
Ensure that Azure Data Explorer (Kusto) uses disk encryption |
Bicep |
DataExplorerUsesDiskEncryption.py |
1846 |
CKV_AZURE_74 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer (Kusto) uses disk encryption |
Terraform |
DataExplorerUsesDiskEncryption.py |
1847 |
CKV_AZURE_75 |
resource |
Microsoft.Kusto/clusters |
Ensure that Azure Data Explorer uses double encryption |
arm |
AzureDataExplorerDoubleEncryptionEnabled.py |
1848 |
CKV_AZURE_75 |
resource |
Microsoft.Kusto/clusters |
Ensure that Azure Data Explorer uses double encryption |
Bicep |
AzureDataExplorerDoubleEncryptionEnabled.py |
1849 |
CKV_AZURE_75 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer uses double encryption |
Terraform |
AzureDataExplorerDoubleEncryptionEnabled.py |
1850 |
CKV_AZURE_76 |
resource |
Microsoft.Batch/batchAccounts |
Ensure that Azure Batch account uses key vault to encrypt data |
arm |
AzureBatchAccountUsesKeyVaultEncryption.py |
1851 |
CKV_AZURE_76 |
resource |
Microsoft.Batch/batchAccounts |
Ensure that Azure Batch account uses key vault to encrypt data |
Bicep |
AzureBatchAccountUsesKeyVaultEncryption.py |
1852 |
CKV_AZURE_76 |
resource |
azurerm_batch_account |
Ensure that Azure Batch account uses key vault to encrypt data |
Terraform |
AzureBatchAccountUsesKeyVaultEncryption.py |
1853 |
CKV_AZURE_77 |
resource |
azurerm_network_security_group |
Ensure that UDP Services are restricted from the Internet |
Terraform |
NSGRuleUDPAccessRestricted.py |
1854 |
CKV_AZURE_77 |
resource |
azurerm_network_security_rule |
Ensure that UDP Services are restricted from the Internet |
Terraform |
NSGRuleUDPAccessRestricted.py |
1855 |
CKV_AZURE_78 |
resource |
Microsoft.Web/sites |
Ensure FTP deployments are disabled |
arm |
AppServiceFTPSState.py |
1856 |
CKV_AZURE_78 |
resource |
Microsoft.Web/sites |
Ensure FTP deployments are disabled |
Bicep |
AppServiceFTPSState.py |
1857 |
CKV_AZURE_78 |
resource |
azurerm_app_service |
Ensure FTP deployments are disabled |
Terraform |
AppServiceFTPSState.py |
1858 |
CKV_AZURE_78 |
resource |
azurerm_linux_web_app |
Ensure FTP deployments are disabled |
Terraform |
AppServiceFTPSState.py |
1859 |
CKV_AZURE_78 |
resource |
azurerm_windows_web_app |
Ensure FTP deployments are disabled |
Terraform |
AppServiceFTPSState.py |
1860 |
CKV_AZURE_79 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for SQL servers on machines |
arm |
AzureDefenderOnSqlServersVMS.py |
1861 |
CKV_AZURE_79 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for SQL servers on machines |
Bicep |
AzureDefenderOnSqlServersVMS.py |
1862 |
CKV_AZURE_79 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for SQL servers on machines |
Terraform |
AzureDefenderOnSqlServerVMS.py |
1863 |
CKV_AZURE_80 |
resource |
Microsoft.Web/sites/config |
Ensure that ‘Net Framework’ version is the latest, if used as a part of the web app |
arm |
AppServiceDotnetFrameworkVersion.py |
1864 |
CKV_AZURE_80 |
resource |
Microsoft.Web/sites/config |
Ensure that ‘Net Framework’ version is the latest, if used as a part of the web app |
Bicep |
AppServiceDotnetFrameworkVersion.py |
1865 |
CKV_AZURE_80 |
resource |
azurerm_app_service |
Ensure that ‘Net Framework’ version is the latest, if used as a part of the web app |
Terraform |
AppServiceDotnetFrameworkVersion.py |
1866 |
CKV_AZURE_80 |
resource |
azurerm_windows_web_app |
Ensure that ‘Net Framework’ version is the latest, if used as a part of the web app |
Terraform |
AppServiceDotnetFrameworkVersion.py |
1867 |
CKV_AZURE_81 |
resource |
Microsoft.Web/sites |
Ensure that ‘PHP version’ is the latest, if used to run the web app |
arm |
AppServicePHPVersion.py |
1868 |
CKV_AZURE_81 |
resource |
Microsoft.Web/sites |
Ensure that ‘PHP version’ is the latest, if used to run the web app |
Bicep |
AppServicePHPVersion.py |
1869 |
CKV_AZURE_81 |
resource |
azurerm_app_service |
Ensure that ‘PHP version’ is the latest, if used to run the web app |
Terraform |
AppServicePHPVersion.py |
1870 |
CKV_AZURE_82 |
resource |
Microsoft.Web/sites |
Ensure that ‘Python version’ is the latest, if used to run the web app |
arm |
AppServicePythonVersion.py |
1871 |
CKV_AZURE_82 |
resource |
Microsoft.Web/sites |
Ensure that ‘Python version’ is the latest, if used to run the web app |
Bicep |
AppServicePythonVersion.py |
1872 |
CKV_AZURE_82 |
resource |
azurerm_app_service |
Ensure that ‘Python version’ is the latest, if used to run the web app |
Terraform |
AppServicePythonVersion.py |
1873 |
CKV_AZURE_83 |
resource |
Microsoft.Web/sites |
Ensure that ‘Java version’ is the latest, if used to run the web app |
arm |
AppServiceJavaVersion.py |
1874 |
CKV_AZURE_83 |
resource |
Microsoft.Web/sites |
Ensure that ‘Java version’ is the latest, if used to run the web app |
Bicep |
AppServiceJavaVersion.py |
1875 |
CKV_AZURE_83 |
resource |
azurerm_app_service |
Ensure that ‘Java version’ is the latest, if used to run the web app |
Terraform |
AppServiceJavaVersion.py |
1876 |
CKV_AZURE_84 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for Storage |
arm |
AzureDefenderOnStorage.py |
1877 |
CKV_AZURE_84 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for Storage |
Bicep |
AzureDefenderOnStorage.py |
1878 |
CKV_AZURE_84 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Storage |
Terraform |
AzureDefenderOnStorage.py |
1879 |
CKV_AZURE_85 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for Kubernetes |
arm |
AzureDefenderOnKubernetes.py |
1880 |
CKV_AZURE_85 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for Kubernetes |
Bicep |
AzureDefenderOnKubernetes.py |
1881 |
CKV_AZURE_85 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Kubernetes |
Terraform |
AzureDefenderOnKubernetes.py |
1882 |
CKV_AZURE_86 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Container Registries |
Terraform |
AzureDefenderOnContainerRegistry.py |
1883 |
CKV_AZURE_87 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for Key Vault |
arm |
AzureDefenderOnKeyVaults.py |
1884 |
CKV_AZURE_87 |
resource |
Microsoft.Security/pricings |
Ensure that Azure Defender is set to On for Key Vault |
Bicep |
AzureDefenderOnKeyVaults.py |
1885 |
CKV_AZURE_87 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Key Vault |
Terraform |
AzureDefenderOnKeyVaults.py |
1886 |
CKV_AZURE_88 |
resource |
Microsoft.Web/sites/config |
Ensure that app services use Azure Files |
arm |
AppServiceUsedAzureFiles.py |
1887 |
CKV_AZURE_88 |
resource |
Microsoft.Web/sites/config |
Ensure that app services use Azure Files |
Bicep |
AppServiceUsedAzureFiles.py |
1888 |
CKV_AZURE_88 |
resource |
azurerm_app_service |
Ensure that app services use Azure Files |
Terraform |
AppServiceUsedAzureFiles.py |
1889 |
CKV_AZURE_88 |
resource |
azurerm_linux_web_app |
Ensure that app services use Azure Files |
Terraform |
AppServiceUsedAzureFiles.py |
1890 |
CKV_AZURE_88 |
resource |
azurerm_windows_web_app |
Ensure that app services use Azure Files |
Terraform |
AppServiceUsedAzureFiles.py |
1891 |
CKV_AZURE_89 |
resource |
Microsoft.Cache/redis |
Ensure that Azure Cache for Redis disables public network access |
arm |
RedisCachePublicNetworkAccessEnabled.py |
1892 |
CKV_AZURE_89 |
resource |
Microsoft.Cache/redis |
Ensure that Azure Cache for Redis disables public network access |
Bicep |
RedisCachePublicNetworkAccessEnabled.py |
1893 |
CKV_AZURE_89 |
resource |
azurerm_redis_cache |
Ensure that Azure Cache for Redis disables public network access |
Terraform |
RedisCachePublicNetworkAccessEnabled.py |
1894 |
CKV_AZURE_91 |
resource |
azurerm_redis_cache |
Ensure that only SSL are enabled for Cache for Redis |
Terraform |
RedisCacheEnableNonSSLPort.py |
1895 |
CKV_AZURE_92 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that Virtual Machines use managed disks |
arm |
VMStorageOsDisk.py |
1896 |
CKV_AZURE_92 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that Virtual Machines use managed disks |
Bicep |
VMStorageOsDisk.py |
1897 |
CKV_AZURE_92 |
resource |
azurerm_linux_virtual_machine |
Ensure that Virtual Machines use managed disks |
Terraform |
VMStorageOsDisk.py |
1898 |
CKV_AZURE_92 |
resource |
azurerm_windows_virtual_machine |
Ensure that Virtual Machines use managed disks |
Terraform |
VMStorageOsDisk.py |
1899 |
CKV_AZURE_93 |
resource |
Microsoft.Compute/disks |
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
arm |
AzureManagedDiskEncryptionSet.py |
1900 |
CKV_AZURE_93 |
resource |
Microsoft.Compute/disks |
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
Bicep |
AzureManagedDiskEncryptionSet.py |
1901 |
CKV_AZURE_93 |
resource |
azurerm_managed_disk |
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
Terraform |
AzureManagedDiskEncryptionSet.py |
1902 |
CKV_AZURE_94 |
resource |
Microsoft.DBforMySQL/flexibleServers |
Ensure that My SQL server enables geo-redundant backups |
arm |
MySQLGeoBackupEnabled.py |
1903 |
CKV_AZURE_94 |
resource |
Microsoft.DBforMySQL/flexibleServers |
Ensure that My SQL server enables geo-redundant backups |
Bicep |
MySQLGeoBackupEnabled.py |
1904 |
CKV_AZURE_94 |
resource |
azurerm_mysql_flexible_server |
Ensure that My SQL server enables geo-redundant backups |
Terraform |
MySQLGeoBackupEnabled.py |
1905 |
CKV_AZURE_94 |
resource |
azurerm_mysql_server |
Ensure that My SQL server enables geo-redundant backups |
Terraform |
MySQLGeoBackupEnabled.py |
1906 |
CKV_AZURE_95 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets |
arm |
VMScaleSetsAutoOSImagePatchingEnabled.py |
1907 |
CKV_AZURE_95 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets |
Bicep |
VMScaleSetsAutoOSImagePatchingEnabled.py |
1908 |
CKV_AZURE_95 |
resource |
azurerm_virtual_machine_scale_set |
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets |
Terraform |
VMScaleSetsAutoOSImagePatchingEnabled.py |
1909 |
CKV_AZURE_96 |
resource |
Microsoft.DBforMySQL/flexibleServers |
Ensure that MySQL server enables infrastructure encryption |
arm |
MySQLEncryptionEnabled.py |
1910 |
CKV_AZURE_96 |
resource |
Microsoft.DBforMySQL/flexibleServers |
Ensure that MySQL server enables infrastructure encryption |
Bicep |
MySQLEncryptionEnabled.py |
1911 |
CKV_AZURE_96 |
resource |
azurerm_mysql_server |
Ensure that MySQL server enables infrastructure encryption |
Terraform |
MySQLEncryptionEnabled.py |
1912 |
CKV_AZURE_97 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure that Virtual machine scale sets have encryption at host enabled |
arm |
VMEncryptionAtHostEnabled.py |
1913 |
CKV_AZURE_97 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure that Virtual machine scale sets have encryption at host enabled |
Bicep |
VMEncryptionAtHostEnabled.py |
1914 |
CKV_AZURE_97 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that Virtual machine scale sets have encryption at host enabled |
arm |
VMEncryptionAtHostEnabled.py |
1915 |
CKV_AZURE_97 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that Virtual machine scale sets have encryption at host enabled |
Bicep |
VMEncryptionAtHostEnabled.py |
1916 |
CKV_AZURE_97 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure that Virtual machine scale sets have encryption at host enabled |
Terraform |
VMEncryptionAtHostEnabled.py |
1917 |
CKV_AZURE_97 |
resource |
azurerm_windows_virtual_machine_scale_set |
Ensure that Virtual machine scale sets have encryption at host enabled |
Terraform |
VMEncryptionAtHostEnabled.py |
1918 |
CKV_AZURE_98 |
resource |
azurerm_container_group |
Ensure that Azure Container group is deployed into virtual network |
Terraform |
AzureContainerGroupDeployedIntoVirtualNetwork.py |
1919 |
CKV_AZURE_99 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure Cosmos DB accounts have restricted access |
arm |
CosmosDBAccountsRestrictedAccess.py |
1920 |
CKV_AZURE_99 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure Cosmos DB accounts have restricted access |
Bicep |
CosmosDBAccountsRestrictedAccess.py |
1921 |
CKV_AZURE_99 |
resource |
azurerm_cosmosdb_account |
Ensure Cosmos DB accounts have restricted access |
Terraform |
CosmosDBAccountsRestrictedAccess.py |
1922 |
CKV_AZURE_100 |
resource |
Microsoft.DocumentDb/databaseAccounts |
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
arm |
CosmosDBHaveCMK.py |
1923 |
CKV_AZURE_100 |
resource |
Microsoft.DocumentDb/databaseAccounts |
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
Bicep |
CosmosDBHaveCMK.py |
1924 |
CKV_AZURE_100 |
resource |
azurerm_cosmosdb_account |
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
Terraform |
CosmosDBHaveCMK.py |
1925 |
CKV_AZURE_101 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure that Azure Cosmos DB disables public network access |
arm |
CosmosDBDisablesPublicNetwork.py |
1926 |
CKV_AZURE_101 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure that Azure Cosmos DB disables public network access |
Bicep |
CosmosDBDisablesPublicNetwork.py |
1927 |
CKV_AZURE_101 |
resource |
azurerm_cosmosdb_account |
Ensure that Azure Cosmos DB disables public network access |
Terraform |
CosmosDBDisablesPublicNetwork.py |
1928 |
CKV_AZURE_102 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure that PostgreSQL server enables geo-redundant backups |
arm |
PostgressSQLGeoBackupEnabled.py |
1929 |
CKV_AZURE_102 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure that PostgreSQL server enables geo-redundant backups |
Bicep |
PostgressSQLGeoBackupEnabled.py |
1930 |
CKV_AZURE_102 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables geo-redundant backups |
Terraform |
PostgressSQLGeoBackupEnabled.py |
1931 |
CKV_AZURE_103 |
resource |
Microsoft.DataFactory/factories |
Ensure that Azure Data Factory uses Git repository for source control |
arm |
DataFactoryUsesGitRepository.py |
1932 |
CKV_AZURE_103 |
resource |
Microsoft.DataFactory/factories |
Ensure that Azure Data Factory uses Git repository for source control |
Bicep |
DataFactoryUsesGitRepository.py |
1933 |
CKV_AZURE_103 |
resource |
azurerm_data_factory |
Ensure that Azure Data Factory uses Git repository for source control |
Terraform |
DataFactoryUsesGitRepository.py |
1934 |
CKV_AZURE_104 |
resource |
Microsoft.DataFactory/factories |
Ensure that Azure Data factory public network access is disabled |
arm |
DataFactoryNoPublicNetworkAccess.py |
1935 |
CKV_AZURE_104 |
resource |
Microsoft.DataFactory/factories |
Ensure that Azure Data factory public network access is disabled |
Bicep |
DataFactoryNoPublicNetworkAccess.py |
1936 |
CKV_AZURE_104 |
resource |
azurerm_data_factory |
Ensure that Azure Data factory public network access is disabled |
Terraform |
DataFactoryNoPublicNetworkAccess.py |
1937 |
CKV_AZURE_105 |
resource |
Microsoft.DataLakeStore/accounts |
Ensure that Data Lake Store accounts enables encryption |
arm |
DataLakeStoreEncryption.py |
1938 |
CKV_AZURE_105 |
resource |
Microsoft.DataLakeStore/accounts |
Ensure that Data Lake Store accounts enables encryption |
Bicep |
DataLakeStoreEncryption.py |
1939 |
CKV_AZURE_105 |
resource |
azurerm_data_lake_store |
Ensure that Data Lake Store accounts enables encryption |
Terraform |
DataLakeStoreEncryption.py |
1940 |
CKV_AZURE_106 |
resource |
azurerm_eventgrid_domain |
Ensure that Azure Event Grid Domain public network access is disabled |
Terraform |
EventgridDomainNetworkAccess.py |
1941 |
CKV_AZURE_107 |
resource |
Microsoft.ApiManagement/service |
Ensure that API management services use virtual networks |
arm |
APIServicesUseVirtualNetwork.py |
1942 |
CKV_AZURE_107 |
resource |
Microsoft.ApiManagement/service |
Ensure that API management services use virtual networks |
Bicep |
APIServicesUseVirtualNetwork.py |
1943 |
CKV_AZURE_107 |
resource |
azurerm_api_management |
Ensure that API management services use virtual networks |
Terraform |
APIServicesUseVirtualNetwork.py |
1944 |
CKV_AZURE_108 |
resource |
azurerm_iothub |
Ensure that Azure IoT Hub disables public network access |
Terraform |
IoTNoPublicNetworkAccess.py |
1945 |
CKV_AZURE_109 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault allows firewall rules settings |
arm |
KeyVaultEnablesFirewallRulesSettings.py |
1946 |
CKV_AZURE_109 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault allows firewall rules settings |
Bicep |
KeyVaultEnablesFirewallRulesSettings.py |
1947 |
CKV_AZURE_109 |
resource |
azurerm_key_vault |
Ensure that key vault allows firewall rules settings |
Terraform |
KeyVaultEnablesFirewallRulesSettings.py |
1948 |
CKV_AZURE_110 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault enables purge protection |
arm |
KeyVaultEnablesPurgeProtection.py |
1949 |
CKV_AZURE_110 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault enables purge protection |
Bicep |
KeyVaultEnablesPurgeProtection.py |
1950 |
CKV_AZURE_110 |
resource |
azurerm_key_vault |
Ensure that key vault enables purge protection |
Terraform |
KeyVaultEnablesPurgeProtection.py |
1951 |
CKV_AZURE_111 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault enables soft delete |
arm |
KeyVaultEnablesSoftDelete.py |
1952 |
CKV_AZURE_111 |
resource |
Microsoft.KeyVault/vaults |
Ensure that key vault enables soft delete |
Bicep |
KeyVaultEnablesSoftDelete.py |
1953 |
CKV_AZURE_111 |
resource |
azurerm_key_vault |
Ensure that key vault enables soft delete |
Terraform |
KeyVaultEnablesSoftDelete.py |
1954 |
CKV_AZURE_112 |
resource |
Microsoft.KeyVault/vaults/keys |
Ensure that key vault key is backed by HSM |
arm |
KeyBackedByHSM.py |
1955 |
CKV_AZURE_112 |
resource |
Microsoft.KeyVault/vaults/keys |
Ensure that key vault key is backed by HSM |
Bicep |
KeyBackedByHSM.py |
1956 |
CKV_AZURE_112 |
resource |
azurerm_key_vault_key |
Ensure that key vault key is backed by HSM |
Terraform |
KeyBackedByHSM.py |
1957 |
CKV_AZURE_113 |
resource |
Microsoft.Sql/servers |
Ensure that SQL server disables public network access |
arm |
SQLServerHasPublicAccessDisabled.py |
1958 |
CKV_AZURE_113 |
resource |
Microsoft.Sql/servers |
Ensure that SQL server disables public network access |
Bicep |
SQLServerHasPublicAccessDisabled.py |
1959 |
CKV_AZURE_113 |
resource |
azurerm_mssql_server |
Ensure that SQL server disables public network access |
Terraform |
SQLServerPublicAccessDisabled.py |
1960 |
CKV_AZURE_114 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that key vault secrets have “content_type” set |
arm |
SecretContentType.py |
1961 |
CKV_AZURE_114 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that key vault secrets have “content_type” set |
Bicep |
SecretContentType.py |
1962 |
CKV_AZURE_114 |
resource |
azurerm_key_vault_secret |
Ensure that key vault secrets have “content_type” set |
Terraform |
SecretContentType.py |
1963 |
CKV_AZURE_115 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS enables private clusters |
Terraform |
AKSEnablesPrivateClusters.py |
1964 |
CKV_AZURE_116 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS uses Azure Policies Add-on |
Terraform |
AKSUsesAzurePoliciesAddon.py |
1965 |
CKV_AZURE_117 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS uses disk encryption set |
Terraform |
AKSUsesDiskEncryptionSet.py |
1966 |
CKV_AZURE_118 |
resource |
azurerm_network_interface |
Ensure that Network Interfaces disable IP forwarding |
Terraform |
NetworkInterfaceEnableIPForwarding.py |
1967 |
CKV_AZURE_119 |
resource |
azurerm_network_interface |
Ensure that Network Interfaces don’t use public IPs |
Terraform |
AzureNetworkInterfacePublicIPAddressId.yaml |
1968 |
CKV_AZURE_120 |
resource |
azurerm_application_gateway |
Ensure that Application Gateway enables WAF |
Terraform |
ApplicationGatewayEnablesWAF.yaml |
1969 |
CKV_AZURE_120 |
resource |
azurerm_web_application_firewall_policy |
Ensure that Application Gateway enables WAF |
Terraform |
ApplicationGatewayEnablesWAF.yaml |
1970 |
CKV_AZURE_121 |
resource |
Microsoft.Network/frontDoors |
Ensure that Azure Front Door enables WAF |
arm |
AzureFrontDoorEnablesWAF.py |
1971 |
CKV_AZURE_121 |
resource |
Microsoft.Network/frontDoors |
Ensure that Azure Front Door enables WAF |
Bicep |
AzureFrontDoorEnablesWAF.py |
1972 |
CKV_AZURE_121 |
resource |
azurerm_frontdoor |
Ensure that Azure Front Door enables WAF |
Terraform |
AzureFrontDoorEnablesWAF.py |
1973 |
CKV_AZURE_122 |
resource |
azurerm_web_application_firewall_policy |
Ensure that Application Gateway uses WAF in “Detection” or “Prevention” modes |
Terraform |
AppGWUseWAFMode.py |
1974 |
CKV_AZURE_123 |
resource |
Microsoft.Network/FrontDoorWebApplicationFirewallPolicies |
Ensure that Azure Front Door uses WAF in “Detection” or “Prevention” modes |
arm |
FrontdoorUseWAFMode.py |
1975 |
CKV_AZURE_123 |
resource |
Microsoft.Network/FrontDoorWebApplicationFirewallPolicies |
Ensure that Azure Front Door uses WAF in “Detection” or “Prevention” modes |
Bicep |
FrontdoorUseWAFMode.py |
1976 |
CKV_AZURE_123 |
resource |
azurerm_frontdoor_firewall_policy |
Ensure that Azure Front Door uses WAF in “Detection” or “Prevention” modes |
Terraform |
FrontdoorUseWAFMode.py |
1977 |
CKV_AZURE_124 |
resource |
azurerm_search_service |
Ensure that Azure Cognitive Search disables public network access |
Terraform |
AzureSearchPublicNetworkAccessDisabled.py |
1978 |
CKV_AZURE_125 |
resource |
Microsoft.ServiceFabric/clusters |
Ensures that Service Fabric use three levels of protection available |
arm |
AzureServiceFabricClusterProtectionLevel.py |
1979 |
CKV_AZURE_125 |
resource |
Microsoft.ServiceFabric/clusters |
Ensures that Service Fabric use three levels of protection available |
Bicep |
AzureServiceFabricClusterProtectionLevel.py |
1980 |
CKV_AZURE_125 |
resource |
azurerm_service_fabric_cluster |
Ensures that Service Fabric use three levels of protection available |
Terraform |
AzureServiceFabricClusterProtectionLevel.py |
1981 |
CKV_AZURE_126 |
resource |
azurerm_service_fabric_cluster |
Ensures that Active Directory is used for authentication for Service Fabric |
Terraform |
ActiveDirectoryUsedAuthenticationServiceFabric.py |
1982 |
CKV_AZURE_127 |
resource |
azurerm_mysql_server |
Ensure that My SQL server enables Threat detection policy |
Terraform |
MySQLTreatDetectionEnabled.py |
1983 |
CKV_AZURE_128 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables Threat detection policy |
Terraform |
PostgresSQLTreatDetectionEnabled.py |
1984 |
CKV_AZURE_129 |
resource |
Microsoft.DBforMariaDB/servers |
Ensure that MariaDB server enables geo-redundant backups |
arm |
MariaDBGeoBackupEnabled.py |
1985 |
CKV_AZURE_129 |
resource |
Microsoft.DBforMariaDB/servers |
Ensure that MariaDB server enables geo-redundant backups |
Bicep |
MariaDBGeoBackupEnabled.py |
1986 |
CKV_AZURE_129 |
resource |
azurerm_mariadb_server |
Ensure that MariaDB server enables geo-redundant backups |
Terraform |
MariaDBGeoBackupEnabled.py |
1987 |
CKV_AZURE_130 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure that PostgreSQL server enables infrastructure encryption |
arm |
PostgreSQLEncryptionEnabled.py |
1988 |
CKV_AZURE_130 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure that PostgreSQL server enables infrastructure encryption |
Bicep |
PostgreSQLEncryptionEnabled.py |
1989 |
CKV_AZURE_130 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables infrastructure encryption |
Terraform |
PostgreSQLEncryptionEnabled.py |
1990 |
CKV_AZURE_131 |
resource |
azurerm_security_center_contact |
Ensure that ‘Security contact emails’ is set |
Terraform |
SecurityCenterContactEmails.py |
1991 |
CKV_AZURE_131 |
parameter |
secureString |
SecureString parameter should not have hardcoded default values |
arm |
SecureStringParameterNoHardcodedValue.py |
1992 |
CKV_AZURE_131 |
parameter |
string |
SecureString parameter should not have hardcoded default values |
Bicep |
SecureStringParameterNoHardcodedValue.py |
1993 |
CKV_AZURE_132 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure cosmosdb does not allow privileged escalation by restricting management plane changes |
arm |
CosmosDBDisableAccessKeyWrite.py |
1994 |
CKV_AZURE_132 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure cosmosdb does not allow privileged escalation by restricting management plane changes |
Bicep |
CosmosDBDisableAccessKeyWrite.py |
1995 |
CKV_AZURE_132 |
resource |
azurerm_cosmosdb_account |
Ensure cosmosdb does not allow privileged escalation by restricting management plane changes |
Terraform |
CosmosDBDisableAccessKeyWrite.py |
1996 |
CKV_AZURE_133 |
resource |
Microsoft.Network/frontdoorWebApplicationFirewallPolicies |
Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
arm |
FrontDoorWAFACLCVE202144228.py |
1997 |
CKV_AZURE_133 |
resource |
Microsoft.Network/frontdoorWebApplicationFirewallPolicies |
Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Bicep |
FrontDoorWAFACLCVE202144228.py |
1998 |
CKV_AZURE_133 |
resource |
azurerm_frontdoor_firewall_policy |
Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Terraform |
FrontDoorWAFACLCVE202144228.py |
1999 |
CKV_AZURE_134 |
resource |
Microsoft.CognitiveServices/accounts |
Ensure that Cognitive Services accounts disable public network access |
arm |
CognitiveServicesDisablesPublicNetwork.py |
2000 |
CKV_AZURE_134 |
resource |
Microsoft.CognitiveServices/accounts |
Ensure that Cognitive Services accounts disable public network access |
Bicep |
CognitiveServicesDisablesPublicNetwork.py |
2001 |
CKV_AZURE_134 |
resource |
azurerm_cognitive_account |
Ensure that Cognitive Services accounts disable public network access |
Terraform |
CognitiveServicesDisablesPublicNetwork.py |
2002 |
CKV_AZURE_135 |
resource |
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies |
Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
arm |
AppGatewayWAFACLCVE202144228.py |
2003 |
CKV_AZURE_135 |
resource |
Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies |
Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Bicep |
AppGatewayWAFACLCVE202144228.py |
2004 |
CKV_AZURE_135 |
resource |
azurerm_web_application_firewall_policy |
Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Terraform |
AppGatewayWAFACLCVE202144228.py |
2005 |
CKV_AZURE_136 |
resource |
azurerm_postgresql_flexible_server |
Ensure that PostgreSQL Flexible server enables geo-redundant backups |
Terraform |
PostgreSQLFlexiServerGeoBackupEnabled.py |
2006 |
CKV_AZURE_137 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure ACR admin account is disabled |
arm |
ACRAdminAccountDisabled.py |
2007 |
CKV_AZURE_137 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure ACR admin account is disabled |
Bicep |
ACRAdminAccountDisabled.py |
2008 |
CKV_AZURE_137 |
resource |
azurerm_container_registry |
Ensure ACR admin account is disabled |
Terraform |
ACRAdminAccountDisabled.py |
2009 |
CKV_AZURE_138 |
resource |
Microsoft.ContainerRegistry/registries |
Ensures that ACR disables anonymous pulling of images |
arm |
ACRAnonymousPullDisabled.py |
2010 |
CKV_AZURE_138 |
resource |
Microsoft.ContainerRegistry/registries |
Ensures that ACR disables anonymous pulling of images |
Bicep |
ACRAnonymousPullDisabled.py |
2011 |
CKV_AZURE_138 |
resource |
azurerm_container_registry |
Ensures that ACR disables anonymous pulling of images |
Terraform |
ACRAnonymousPullDisabled.py |
2012 |
CKV_AZURE_139 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure ACR set to disable public networking |
arm |
ACRPublicNetworkAccessDisabled.py |
2013 |
CKV_AZURE_139 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure ACR set to disable public networking |
Bicep |
ACRPublicNetworkAccessDisabled.py |
2014 |
CKV_AZURE_139 |
resource |
azurerm_container_registry |
Ensure ACR set to disable public networking |
Terraform |
ACRPublicNetworkAccessDisabled.py |
2015 |
CKV_AZURE_140 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure that Local Authentication is disabled on CosmosDB |
arm |
CosmosDBLocalAuthDisabled.py |
2016 |
CKV_AZURE_140 |
resource |
Microsoft.DocumentDB/databaseAccounts |
Ensure that Local Authentication is disabled on CosmosDB |
Bicep |
CosmosDBLocalAuthDisabled.py |
2017 |
CKV_AZURE_140 |
resource |
azurerm_cosmosdb_account |
Ensure that Local Authentication is disabled on CosmosDB |
Terraform |
CosmosDBLocalAuthDisabled.py |
2018 |
CKV_AZURE_141 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS local admin account is disabled |
arm |
AKSLocalAdminDisabled.py |
2019 |
CKV_AZURE_141 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS local admin account is disabled |
Bicep |
AKSLocalAdminDisabled.py |
2020 |
CKV_AZURE_141 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS local admin account is disabled |
Terraform |
AKSLocalAdminDisabled.py |
2021 |
CKV_AZURE_142 |
resource |
azurerm_machine_learning_compute_cluster |
Ensure Machine Learning Compute Cluster Local Authentication is disabled |
Terraform |
MLCCLADisabled.py |
2022 |
CKV_AZURE_143 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster nodes do not have public IP addresses |
Terraform |
AKSNodePublicIpDisabled.py |
2023 |
CKV_AZURE_144 |
resource |
azurerm_machine_learning_workspace |
Ensure that Public Access is disabled for Machine Learning Workspace |
Terraform |
MLPublicAccess.py |
2024 |
CKV_AZURE_145 |
resource |
Microsoft.Web/sites |
Ensure Function app is using the latest version of TLS encryption |
arm |
FunctionAppMinTLSVersion.py |
2025 |
CKV_AZURE_145 |
resource |
Microsoft.Web/sites |
Ensure Function app is using the latest version of TLS encryption |
Bicep |
FunctionAppMinTLSVersion.py |
2026 |
CKV_AZURE_145 |
resource |
Microsoft.Web/sites/slots |
Ensure Function app is using the latest version of TLS encryption |
arm |
FunctionAppMinTLSVersion.py |
2027 |
CKV_AZURE_145 |
resource |
Microsoft.Web/sites/slots |
Ensure Function app is using the latest version of TLS encryption |
Bicep |
FunctionAppMinTLSVersion.py |
2028 |
CKV_AZURE_145 |
resource |
azurerm_function_app |
Ensure Function app is using the latest version of TLS encryption |
Terraform |
FunctionAppMinTLSVersion.py |
2029 |
CKV_AZURE_145 |
resource |
azurerm_function_app_slot |
Ensure Function app is using the latest version of TLS encryption |
Terraform |
FunctionAppMinTLSVersion.py |
2030 |
CKV_AZURE_145 |
resource |
azurerm_linux_function_app |
Ensure Function app is using the latest version of TLS encryption |
Terraform |
FunctionAppMinTLSVersion.py |
2031 |
CKV_AZURE_145 |
resource |
azurerm_linux_function_app_slot |
Ensure Function app is using the latest version of TLS encryption |
Terraform |
FunctionAppMinTLSVersion.py |
2032 |
CKV_AZURE_145 |
resource |
azurerm_windows_function_app |
Ensure Function app is using the latest version of TLS encryption |
Terraform |
FunctionAppMinTLSVersion.py |
2033 |
CKV_AZURE_145 |
resource |
azurerm_windows_function_app_slot |
Ensure Function app is using the latest version of TLS encryption |
Terraform |
FunctionAppMinTLSVersion.py |
2034 |
CKV_AZURE_146 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_retention’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
PostgreSQLServerLogRetentionEnabled.py |
2035 |
CKV_AZURE_147 |
resource |
azurerm_postgresql_server |
Ensure PostgreSQL is using the latest version of TLS encryption |
Terraform |
PostgreSQLMinTLSVersion.py |
2036 |
CKV_AZURE_148 |
resource |
azurerm_redis_cache |
Ensure Redis Cache is using the latest version of TLS encryption |
Terraform |
RedisCacheMinTLSVersion.py |
2037 |
CKV_AZURE_149 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure that Virtual machine does not enable password authentication |
arm |
VMDisablePasswordAuthentication.py |
2038 |
CKV_AZURE_149 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure that Virtual machine does not enable password authentication |
Bicep |
VMDisablePasswordAuthentication.py |
2039 |
CKV_AZURE_149 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that Virtual machine does not enable password authentication |
arm |
VMDisablePasswordAuthentication.py |
2040 |
CKV_AZURE_149 |
resource |
Microsoft.Compute/virtualMachines |
Ensure that Virtual machine does not enable password authentication |
Bicep |
VMDisablePasswordAuthentication.py |
2041 |
CKV_AZURE_149 |
resource |
azurerm_linux_virtual_machine |
Ensure that Virtual machine does not enable password authentication |
Terraform |
VMDisablePasswordAuthentication.py |
2042 |
CKV_AZURE_149 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure that Virtual machine does not enable password authentication |
Terraform |
VMDisablePasswordAuthentication.py |
2043 |
CKV_AZURE_150 |
resource |
azurerm_machine_learning_compute_cluster |
Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 |
Terraform |
MLComputeClusterMinNodes.py |
2044 |
CKV_AZURE_151 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Windows VM enables encryption |
arm |
WinVMEncryptionAtHost.py |
2045 |
CKV_AZURE_151 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Windows VM enables encryption |
Bicep |
WinVMEncryptionAtHost.py |
2046 |
CKV_AZURE_151 |
resource |
azurerm_windows_virtual_machine |
Ensure Windows VM enables encryption |
Terraform |
WinVMEncryptionAtHost.py |
2047 |
CKV_AZURE_152 |
resource |
azurerm_api_management |
Ensure Client Certificates are enforced for API management |
Terraform |
APIManagementCertsEnforced.py |
2048 |
CKV_AZURE_153 |
resource |
Microsoft.Web/sites |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
arm |
AppServiceSlotHTTPSOnly.py |
2049 |
CKV_AZURE_153 |
resource |
Microsoft.Web/sites |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
Bicep |
AppServiceSlotHTTPSOnly.py |
2050 |
CKV_AZURE_153 |
resource |
Microsoft.Web/sites/slots |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
arm |
AppServiceSlotHTTPSOnly.py |
2051 |
CKV_AZURE_153 |
resource |
Microsoft.Web/sites/slots |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
Bicep |
AppServiceSlotHTTPSOnly.py |
2052 |
CKV_AZURE_153 |
resource |
azurerm_app_service_slot |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
Terraform |
AppServiceSlotHTTPSOnly.py |
2053 |
CKV_AZURE_153 |
resource |
azurerm_linux_web_app_slot |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
Terraform |
AppServiceSlotHTTPSOnly.py |
2054 |
CKV_AZURE_153 |
resource |
azurerm_windows_web_app_slot |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
Terraform |
AppServiceSlotHTTPSOnly.py |
2055 |
CKV_AZURE_154 |
resource |
azurerm_app_service_slot |
Ensure the App service slot is using the latest version of TLS encryption |
Terraform |
AppServiceSlotMinTLS.py |
2056 |
CKV_AZURE_155 |
resource |
Microsoft.Web/sites |
Ensure debugging is disabled for the App service slot |
arm |
AppServiceSlotDebugDisabled.py |
2057 |
CKV_AZURE_155 |
resource |
Microsoft.Web/sites |
Ensure debugging is disabled for the App service slot |
Bicep |
AppServiceSlotDebugDisabled.py |
2058 |
CKV_AZURE_155 |
resource |
Microsoft.Web/sites/slots |
Ensure debugging is disabled for the App service slot |
arm |
AppServiceSlotDebugDisabled.py |
2059 |
CKV_AZURE_155 |
resource |
Microsoft.Web/sites/slots |
Ensure debugging is disabled for the App service slot |
Bicep |
AppServiceSlotDebugDisabled.py |
2060 |
CKV_AZURE_155 |
resource |
azurerm_app_service_slot |
Ensure debugging is disabled for the App service slot |
Terraform |
AppServiceSlotDebugDisabled.py |
2061 |
CKV_AZURE_156 |
resource |
azurerm_mssql_database_extended_auditing_policy |
Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs |
Terraform |
MSSQLServerAuditPolicyLogMonitor.py |
2062 |
CKV_AZURE_157 |
resource |
Microsoft.Synapse/workspaces |
Ensure that Synapse workspace has data_exfiltration_protection_enabled |
arm |
SynapseWorkspaceEnablesDataExfilProtection.py |
2063 |
CKV_AZURE_157 |
resource |
Microsoft.Synapse/workspaces |
Ensure that Synapse workspace has data_exfiltration_protection_enabled |
Bicep |
SynapseWorkspaceEnablesDataExfilProtection.py |
2064 |
CKV_AZURE_157 |
resource |
azurerm_synapse_workspace |
Ensure that Synapse workspace has data_exfiltration_protection_enabled |
Terraform |
SynapseWorkspaceEnablesDataExfilProtection.py |
2065 |
CKV_AZURE_158 |
resource |
Microsoft.Databricks/workspaces |
Ensure Databricks Workspace data plane to control plane communication happens over private link |
arm |
DatabricksWorkspaceIsNotPublic.py |
2066 |
CKV_AZURE_158 |
resource |
Microsoft.Databricks/workspaces |
Ensure Databricks Workspace data plane to control plane communication happens over private link |
Bicep |
DatabricksWorkspaceIsNotPublic.py |
2067 |
CKV_AZURE_158 |
resource |
azurerm_databricks_workspace |
Ensure Databricks Workspace data plane to control plane communication happens over private link |
Terraform |
DatabricksWorkspaceIsNotPublic.py |
2068 |
CKV_AZURE_159 |
resource |
azurerm_function_app |
Ensure function app builtin logging is enabled |
Terraform |
FunctionAppEnableLogging.py |
2069 |
CKV_AZURE_159 |
resource |
azurerm_function_app_slot |
Ensure function app builtin logging is enabled |
Terraform |
FunctionAppEnableLogging.py |
2070 |
CKV_AZURE_160 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that HTTP (port 80) access is restricted from the internet |
arm |
NSGRuleHTTPAccessRestricted.py |
2071 |
CKV_AZURE_160 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that HTTP (port 80) access is restricted from the internet |
Bicep |
NSGRuleHTTPAccessRestricted.py |
2072 |
CKV_AZURE_160 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that HTTP (port 80) access is restricted from the internet |
arm |
NSGRuleHTTPAccessRestricted.py |
2073 |
CKV_AZURE_160 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that HTTP (port 80) access is restricted from the internet |
Bicep |
NSGRuleHTTPAccessRestricted.py |
2074 |
CKV_AZURE_160 |
resource |
azurerm_network_security_group |
Ensure that HTTP (port 80) access is restricted from the internet |
Terraform |
NSGRuleHTTPAccessRestricted.py |
2075 |
CKV_AZURE_160 |
resource |
azurerm_network_security_rule |
Ensure that HTTP (port 80) access is restricted from the internet |
Terraform |
NSGRuleHTTPAccessRestricted.py |
2076 |
CKV_AZURE_161 |
resource |
azurerm_spring_cloud_api_portal |
Ensures Spring Cloud API Portal is enabled on for HTTPS |
Terraform |
SpringCloudAPIPortalHTTPSOnly.py |
2077 |
CKV_AZURE_162 |
resource |
azurerm_spring_cloud_api_portal |
Ensures Spring Cloud API Portal Public Access Is Disabled |
Terraform |
SpringCloudAPIPortalPublicAccessIsDisabled.py |
2078 |
CKV_AZURE_163 |
resource |
Microsoft.ContainerRegistry/registries |
Enable vulnerability scanning for container images. |
arm |
ACRContainerScanEnabled.py |
2079 |
CKV_AZURE_163 |
resource |
Microsoft.ContainerRegistry/registries |
Enable vulnerability scanning for container images. |
Bicep |
ACRContainerScanEnabled.py |
2080 |
CKV_AZURE_163 |
resource |
azurerm_container_registry |
Enable vulnerability scanning for container images. |
Terraform |
ACRContainerScanEnabled.py |
2081 |
CKV_AZURE_164 |
resource |
azurerm_container_registry |
Ensures that ACR uses signed/trusted images |
Terraform |
ACRUseSignedImages.py |
2082 |
CKV_AZURE_165 |
resource |
azurerm_container_registry |
Ensure geo-replicated container registries to match multi-region container deployments. |
Terraform |
ACRGeoreplicated.py |
2083 |
CKV_AZURE_166 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure container image quarantine, scan, and mark images verified |
arm |
ACREnableImageQuarantine.py |
2084 |
CKV_AZURE_166 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure container image quarantine, scan, and mark images verified |
Bicep |
ACREnableImageQuarantine.py |
2085 |
CKV_AZURE_166 |
resource |
azurerm_container_registry |
Ensure container image quarantine, scan, and mark images verified |
Terraform |
ACREnableImageQuarantine.py |
2086 |
CKV_AZURE_167 |
resource |
azurerm_container_registry |
Ensure a retention policy is set to cleanup untagged manifests. |
Terraform |
ACREnableRetentionPolicy.py |
2087 |
CKV_AZURE_168 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. |
arm |
AKSMaxPodsMinimum.py |
2088 |
CKV_AZURE_168 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. |
Bicep |
AKSMaxPodsMinimum.py |
2089 |
CKV_AZURE_168 |
resource |
Microsoft.ContainerService/managedClusters/agentPools |
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. |
arm |
AKSMaxPodsMinimum.py |
2090 |
CKV_AZURE_168 |
resource |
Microsoft.ContainerService/managedClusters/agentPools |
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. |
Bicep |
AKSMaxPodsMinimum.py |
2091 |
CKV_AZURE_168 |
resource |
azurerm_kubernetes_cluster |
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. |
Terraform |
AKSMaxPodsMinimum.py |
2092 |
CKV_AZURE_168 |
resource |
azurerm_kubernetes_cluster_node_pool |
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. |
Terraform |
AKSMaxPodsMinimum.py |
2093 |
CKV_AZURE_169 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets |
arm |
AKSPoolTypeIsScaleSet.py |
2094 |
CKV_AZURE_169 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets |
Bicep |
AKSPoolTypeIsScaleSet.py |
2095 |
CKV_AZURE_169 |
resource |
azurerm_kubernetes_cluster |
Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets |
Terraform |
AKSPoolTypeIsScaleSet.py |
2096 |
CKV_AZURE_170 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS use the Paid Sku for its SLA |
Terraform |
AKSIsPaidSku.py |
2097 |
CKV_AZURE_171 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS cluster upgrade channel is chosen |
arm |
AKSUpgradeChannel.py |
2098 |
CKV_AZURE_171 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS cluster upgrade channel is chosen |
Bicep |
AKSUpgradeChannel.py |
2099 |
CKV_AZURE_171 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster upgrade channel is chosen |
Terraform |
AKSUpgradeChannel.py |
2100 |
CKV_AZURE_172 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters |
arm |
AkSSecretStoreRotation.py |
2101 |
CKV_AZURE_172 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters |
Bicep |
AkSSecretStoreRotation.py |
2102 |
CKV_AZURE_172 |
resource |
azurerm_kubernetes_cluster |
Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters |
Terraform |
AKSSecretStoreRotation.py |
2103 |
CKV_AZURE_173 |
resource |
Microsoft.ApiManagement/service |
Ensure API management uses at least TLS 1.2 |
arm |
APIManagementMinTLS12.py |
2104 |
CKV_AZURE_173 |
resource |
Microsoft.ApiManagement/service |
Ensure API management uses at least TLS 1.2 |
Bicep |
APIManagementMinTLS12.py |
2105 |
CKV_AZURE_173 |
resource |
azurerm_api_management |
Ensure API management uses at least TLS 1.2 |
Terraform |
APIManagementMinTLS12.py |
2106 |
CKV_AZURE_174 |
resource |
Microsoft.ApiManagement/service |
Ensure API management public access is disabled |
arm |
APIManagementPublicAccess.py |
2107 |
CKV_AZURE_174 |
resource |
Microsoft.ApiManagement/service |
Ensure API management public access is disabled |
Bicep |
APIManagementPublicAccess.py |
2108 |
CKV_AZURE_174 |
resource |
azurerm_api_management |
Ensure API management public access is disabled |
Terraform |
APIManagementPublicAccess.py |
2109 |
CKV_AZURE_175 |
resource |
Microsoft.SignalRService/webPubSub |
Ensure Web PubSub uses a SKU with an SLA |
arm |
PubsubSKUSLA.py |
2110 |
CKV_AZURE_175 |
resource |
Microsoft.SignalRService/webPubSub |
Ensure Web PubSub uses a SKU with an SLA |
Bicep |
PubsubSKUSLA.py |
2111 |
CKV_AZURE_175 |
resource |
azurerm_web_pubsub |
Ensure Web PubSub uses a SKU with an SLA |
Terraform |
PubsubSKUSLA.py |
2112 |
CKV_AZURE_176 |
resource |
Microsoft.SignalRService/webPubSub |
Ensure Web PubSub uses managed identities to access Azure resources |
arm |
PubsubSpecifyIdentity.py |
2113 |
CKV_AZURE_176 |
resource |
Microsoft.SignalRService/webPubSub |
Ensure Web PubSub uses managed identities to access Azure resources |
Bicep |
PubsubSpecifyIdentity.py |
2114 |
CKV_AZURE_176 |
resource |
azurerm_web_pubsub |
Ensure Web PubSub uses managed identities to access Azure resources |
Terraform |
PubsubSpecifyIdentity.py |
2115 |
CKV_AZURE_177 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure Windows VM enables automatic updates |
arm |
WinVMAutomaticUpdates.py |
2116 |
CKV_AZURE_177 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure Windows VM enables automatic updates |
Bicep |
WinVMAutomaticUpdates.py |
2117 |
CKV_AZURE_177 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Windows VM enables automatic updates |
arm |
WinVMAutomaticUpdates.py |
2118 |
CKV_AZURE_177 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Windows VM enables automatic updates |
Bicep |
WinVMAutomaticUpdates.py |
2119 |
CKV_AZURE_177 |
resource |
azurerm_windows_virtual_machine |
Ensure Windows VM enables automatic updates |
Terraform |
WinVMAutomaticUpdates.py |
2120 |
CKV_AZURE_177 |
resource |
azurerm_windows_virtual_machine_scale_set |
Ensure Windows VM enables automatic updates |
Terraform |
WinVMAutomaticUpdates.py |
2121 |
CKV_AZURE_178 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure linux VM enables SSH with keys for secure communication |
arm |
LinuxVMUsesSSH.py |
2122 |
CKV_AZURE_178 |
resource |
Microsoft.Compute/virtualMachineScaleSets |
Ensure linux VM enables SSH with keys for secure communication |
Bicep |
LinuxVMUsesSSH.py |
2123 |
CKV_AZURE_178 |
resource |
Microsoft.Compute/virtualMachines |
Ensure linux VM enables SSH with keys for secure communication |
arm |
LinuxVMUsesSSH.py |
2124 |
CKV_AZURE_178 |
resource |
Microsoft.Compute/virtualMachines |
Ensure linux VM enables SSH with keys for secure communication |
Bicep |
LinuxVMUsesSSH.py |
2125 |
CKV_AZURE_178 |
resource |
azurerm_linux_virtual_machine |
Ensure linux VM enables SSH with keys for secure communication |
Terraform |
LinuxVMUsesSSH.py |
2126 |
CKV_AZURE_178 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure linux VM enables SSH with keys for secure communication |
Terraform |
LinuxVMUsesSSH.py |
2127 |
CKV_AZURE_179 |
resource |
azurerm_linux_virtual_machine |
Ensure VM agent is installed |
Terraform |
VMAgentIsInstalled.py |
2128 |
CKV_AZURE_179 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure VM agent is installed |
Terraform |
VMAgentIsInstalled.py |
2129 |
CKV_AZURE_179 |
resource |
azurerm_windows_virtual_machine |
Ensure VM agent is installed |
Terraform |
VMAgentIsInstalled.py |
2130 |
CKV_AZURE_179 |
resource |
azurerm_windows_virtual_machine_scale_set |
Ensure VM agent is installed |
Terraform |
VMAgentIsInstalled.py |
2131 |
CKV_AZURE_180 |
resource |
azurerm_kusto_cluster |
Ensure that data explorer uses Sku with an SLA |
Terraform |
DataExplorerSKUHasSLA.py |
2132 |
CKV_AZURE_181 |
resource |
azurerm_kusto_cluster |
Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. |
Terraform |
DataExplorerServiceIdentity.py |
2133 |
CKV_AZURE_182 |
resource |
Microsoft.Network/networkInterfaces |
Ensure that VNET has at least 2 connected DNS Endpoints |
arm |
VnetSingleDNSServer.py |
2134 |
CKV_AZURE_182 |
resource |
Microsoft.Network/networkInterfaces |
Ensure that VNET has at least 2 connected DNS Endpoints |
Bicep |
VnetSingleDNSServer.py |
2135 |
CKV_AZURE_182 |
resource |
Microsoft.Network/virtualNetworks |
Ensure that VNET has at least 2 connected DNS Endpoints |
arm |
VnetSingleDNSServer.py |
2136 |
CKV_AZURE_182 |
resource |
Microsoft.Network/virtualNetworks |
Ensure that VNET has at least 2 connected DNS Endpoints |
Bicep |
VnetSingleDNSServer.py |
2137 |
CKV_AZURE_182 |
resource |
azurerm_virtual_network |
Ensure that VNET has at least 2 connected DNS Endpoints |
Terraform |
VnetSingleDNSServer.py |
2138 |
CKV_AZURE_182 |
resource |
azurerm_virtual_network_dns_servers |
Ensure that VNET has at least 2 connected DNS Endpoints |
Terraform |
VnetSingleDNSServer.py |
2139 |
CKV_AZURE_183 |
resource |
Microsoft.Network/virtualNetworks |
Ensure that VNET uses local DNS addresses |
arm |
VnetLocalDNS.py |
2140 |
CKV_AZURE_183 |
resource |
Microsoft.Network/virtualNetworks |
Ensure that VNET uses local DNS addresses |
Bicep |
VnetLocalDNS.py |
2141 |
CKV_AZURE_183 |
resource |
azurerm_virtual_network |
Ensure that VNET uses local DNS addresses |
Terraform |
VnetLocalDNS.py |
2142 |
CKV_AZURE_184 |
resource |
azurerm_app_configuration |
Ensure ‘local_auth_enabled’ is set to ‘False’ |
Terraform |
AppConfigLocalAuth.py |
2143 |
CKV_AZURE_185 |
resource |
azurerm_app_configuration |
Ensure ‘Public Access’ is not Enabled for App configuration |
Terraform |
AppConfigPublicAccess.py |
2144 |
CKV_AZURE_186 |
resource |
azurerm_app_configuration |
Ensure App configuration encryption block is set. |
Terraform |
AppConfigEncryption.py |
2145 |
CKV_AZURE_187 |
resource |
azurerm_app_configuration |
Ensure App configuration purge protection is enabled |
Terraform |
AppConfigPurgeProtection.py |
2146 |
CKV_AZURE_188 |
resource |
azurerm_app_configuration |
Ensure App configuration Sku is standard |
Terraform |
AppConfigSku.py |
2147 |
CKV_AZURE_189 |
resource |
Microsoft.KeyVault/vaults |
Ensure that Azure Key Vault disables public network access |
arm |
KeyVaultDisablesPublicNetworkAccess.py |
2148 |
CKV_AZURE_189 |
resource |
Microsoft.KeyVault/vaults |
Ensure that Azure Key Vault disables public network access |
Bicep |
KeyVaultDisablesPublicNetworkAccess.py |
2149 |
CKV_AZURE_189 |
resource |
azurerm_key_vault |
Ensure that Azure Key Vault disables public network access |
Terraform |
KeyVaultDisablesPublicNetworkAccess.py |
2150 |
CKV_AZURE_190 |
resource |
azurerm_storage_account |
Ensure that Storage blobs restrict public access |
Terraform |
StorageBlobRestrictPublicAccess.py |
2151 |
CKV_AZURE_191 |
resource |
Microsoft.EventGrid/topics |
Ensure that Managed identity provider is enabled for Azure Event Grid Topic |
arm |
EventgridTopicIdentityProviderEnabled.py |
2152 |
CKV_AZURE_191 |
resource |
Microsoft.EventGrid/topics |
Ensure that Managed identity provider is enabled for Azure Event Grid Topic |
Bicep |
EventgridTopicIdentityProviderEnabled.py |
2153 |
CKV_AZURE_191 |
resource |
azurerm_eventgrid_topic |
Ensure that Managed identity provider is enabled for Azure Event Grid Topic |
Terraform |
EventgridTopicIdentityProviderEnabled.py |
2154 |
CKV_AZURE_192 |
resource |
Microsoft.EventGrid/topics |
Ensure that Azure Event Grid Topic local Authentication is disabled |
arm |
EventgridTopicLocalAuthentication.py |
2155 |
CKV_AZURE_192 |
resource |
Microsoft.EventGrid/topics |
Ensure that Azure Event Grid Topic local Authentication is disabled |
Bicep |
EventgridTopicLocalAuthentication.py |
2156 |
CKV_AZURE_192 |
resource |
azurerm_eventgrid_topic |
Ensure that Azure Event Grid Topic local Authentication is disabled |
Terraform |
EventgridTopicLocalAuthentication.py |
2157 |
CKV_AZURE_193 |
resource |
Microsoft.EventGrid/topics |
Ensure public network access is disabled for Azure Event Grid Topic |
arm |
EventgridTopicNetworkAccess.py |
2158 |
CKV_AZURE_193 |
resource |
Microsoft.EventGrid/topics |
Ensure public network access is disabled for Azure Event Grid Topic |
Bicep |
EventgridTopicNetworkAccess.py |
2159 |
CKV_AZURE_193 |
resource |
azurerm_eventgrid_topic |
Ensure public network access is disabled for Azure Event Grid Topic |
Terraform |
EventgridTopicNetworkAccess.py |
2160 |
CKV_AZURE_194 |
resource |
azurerm_eventgrid_domain |
Ensure that Managed identity provider is enabled for Azure Event Grid Domain |
Terraform |
EventgridDomainIdentityProviderEnabled.py |
2161 |
CKV_AZURE_195 |
resource |
azurerm_eventgrid_domain |
Ensure that Azure Event Grid Domain local Authentication is disabled |
Terraform |
EventgridDomainLocalAuthentication.py |
2162 |
CKV_AZURE_196 |
resource |
azurerm_signalr_service |
Ensure that SignalR uses a Paid Sku for its SLA |
Terraform |
SignalRSKUSLA.py |
2163 |
CKV_AZURE_197 |
resource |
azurerm_cdn_endpoint |
Ensure the Azure CDN disables the HTTP endpoint |
Terraform |
CDNDisableHttpEndpoints.py |
2164 |
CKV_AZURE_198 |
resource |
azurerm_cdn_endpoint |
Ensure the Azure CDN enables the HTTPS endpoint |
Terraform |
CDNEnableHttpsEndpoints.py |
2165 |
CKV_AZURE_199 |
resource |
azurerm_servicebus_namespace |
Ensure that Azure Service Bus uses double encryption |
Terraform |
AzureServicebusDoubleEncryptionEnabled.py |
2166 |
CKV_AZURE_200 |
resource |
azurerm_cdn_endpoint_custom_domain |
Ensure the Azure CDN endpoint is using the latest version of TLS encryption |
Terraform |
CDNTLSProtocol12.py |
2167 |
CKV_AZURE_201 |
resource |
azurerm_servicebus_namespace |
Ensure that Azure Service Bus uses a customer-managed key to encrypt data |
Terraform |
AzureServicebusHasCMK.py |
2168 |
CKV_AZURE_202 |
resource |
azurerm_servicebus_namespace |
Ensure that Managed identity provider is enabled for Azure Service Bus |
Terraform |
AzureServicebusIdentityProviderEnabled.py |
2169 |
CKV_AZURE_203 |
resource |
azurerm_servicebus_namespace |
Ensure Azure Service Bus Local Authentication is disabled |
Terraform |
AzureServicebusLocalAuthDisabled.py |
2170 |
CKV_AZURE_204 |
resource |
azurerm_servicebus_namespace |
Ensure ‘public network access enabled’ is set to ‘False’ for Azure Service Bus |
Terraform |
AzureServicebusPublicAccessDisabled.py |
2171 |
CKV_AZURE_205 |
resource |
azurerm_servicebus_namespace |
Ensure Azure Service Bus is using the latest version of TLS encryption |
Terraform |
AzureServicebusMinTLSVersion.py |
2172 |
CKV_AZURE_206 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that Storage Accounts use replication |
arm |
StorageAccountsUseReplication.py |
2173 |
CKV_AZURE_206 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that Storage Accounts use replication |
Bicep |
StorageAccountsUseReplication.py |
2174 |
CKV_AZURE_206 |
resource |
azurerm_storage_account |
Ensure that Storage Accounts use replication |
Terraform |
StorageAccountsUseReplication.py |
2175 |
CKV_AZURE_207 |
resource |
azurerm_search_service |
Ensure Azure Cognitive Search service uses managed identities to access Azure resources |
Terraform |
AzureSearchManagedIdentity.py |
2176 |
CKV_AZURE_208 |
resource |
Microsoft.Search/searchServices |
Ensure that Azure Cognitive Search maintains SLA for index updates |
arm |
AzureSearchSLAIndex.py |
2177 |
CKV_AZURE_208 |
resource |
Microsoft.Search/searchServices |
Ensure that Azure Cognitive Search maintains SLA for index updates |
Bicep |
AzureSearchSLAIndex.py |
2178 |
CKV_AZURE_208 |
resource |
azurerm_search_service |
Ensure that Azure Cognitive Search maintains SLA for index updates |
Terraform |
AzureSearchSLAIndex.py |
2179 |
CKV_AZURE_209 |
resource |
Microsoft.Search/searchServices |
Ensure that Azure Cognitive Search maintains SLA for search index queries |
arm |
AzureSearchSLAQueryUpdates.py |
2180 |
CKV_AZURE_209 |
resource |
Microsoft.Search/searchServices |
Ensure that Azure Cognitive Search maintains SLA for search index queries |
Bicep |
AzureSearchSLAQueryUpdates.py |
2181 |
CKV_AZURE_209 |
resource |
azurerm_search_service |
Ensure that Azure Cognitive Search maintains SLA for search index queries |
Terraform |
AzureSearchSLAQueryUpdates.py |
2182 |
CKV_AZURE_210 |
resource |
azurerm_search_service |
Ensure Azure Cognitive Search service allowed IPS does not give public Access |
Terraform |
AzureSearchAllowedIPsNotGlobal.py |
2183 |
CKV_AZURE_211 |
resource |
azurerm_service_plan |
Ensure App Service plan suitable for production use |
Terraform |
AppServiceSkuMinimum.py |
2184 |
CKV_AZURE_212 |
resource |
Microsoft.Web/sites |
Ensure App Service has a minimum number of instances for failover |
arm |
AppServiceInstanceMinimum.py |
2185 |
CKV_AZURE_212 |
resource |
Microsoft.Web/sites |
Ensure App Service has a minimum number of instances for failover |
Bicep |
AppServiceInstanceMinimum.py |
2186 |
CKV_AZURE_212 |
resource |
Microsoft.Web/sites/slots |
Ensure App Service has a minimum number of instances for failover |
arm |
AppServiceInstanceMinimum.py |
2187 |
CKV_AZURE_212 |
resource |
Microsoft.Web/sites/slots |
Ensure App Service has a minimum number of instances for failover |
Bicep |
AppServiceInstanceMinimum.py |
2188 |
CKV_AZURE_212 |
resource |
azurerm_service_plan |
Ensure App Service has a minimum number of instances for failover |
Terraform |
AppServiceInstanceMinimum.py |
2189 |
CKV_AZURE_213 |
resource |
Microsoft.Web/sites |
Ensure that App Service configures health check |
arm |
AppServiceSetHealthCheck.py |
2190 |
CKV_AZURE_213 |
resource |
Microsoft.Web/sites |
Ensure that App Service configures health check |
Bicep |
AppServiceSetHealthCheck.py |
2191 |
CKV_AZURE_213 |
resource |
Microsoft.Web/sites/slots |
Ensure that App Service configures health check |
arm |
AppServiceSetHealthCheck.py |
2192 |
CKV_AZURE_213 |
resource |
Microsoft.Web/sites/slots |
Ensure that App Service configures health check |
Bicep |
AppServiceSetHealthCheck.py |
2193 |
CKV_AZURE_213 |
resource |
azurerm_app_service |
Ensure that App Service configures health check |
Terraform |
AppServiceSetHealthCheck.py |
2194 |
CKV_AZURE_213 |
resource |
azurerm_linux_web_app |
Ensure that App Service configures health check |
Terraform |
AppServiceSetHealthCheck.py |
2195 |
CKV_AZURE_213 |
resource |
azurerm_windows_web_app |
Ensure that App Service configures health check |
Terraform |
AppServiceSetHealthCheck.py |
2196 |
CKV_AZURE_214 |
resource |
azurerm_linux_web_app |
Ensure App Service is set to be always on |
Terraform |
AppServiceAlwaysOn.py |
2197 |
CKV_AZURE_214 |
resource |
azurerm_windows_web_app |
Ensure App Service is set to be always on |
Terraform |
AppServiceAlwaysOn.py |
2198 |
CKV_AZURE_215 |
resource |
azurerm_api_management_backend |
Ensure API management backend uses https |
Terraform |
APIManagementBackendHTTPS.py |
2199 |
CKV_AZURE_216 |
resource |
Microsoft.Network/azureFirewalls |
Ensure DenyIntelMode is set to Deny for Azure Firewalls |
arm |
AzureFirewallDenyThreatIntelMode.py |
2200 |
CKV_AZURE_216 |
resource |
Microsoft.Network/azureFirewalls |
Ensure DenyIntelMode is set to Deny for Azure Firewalls |
Bicep |
AzureFirewallDenyThreatIntelMode.py |
2201 |
CKV_AZURE_216 |
resource |
azurerm_firewall |
Ensure DenyIntelMode is set to Deny for Azure Firewalls |
Terraform |
AzureFirewallDenyThreatIntelMode.py |
2202 |
CKV_AZURE_217 |
resource |
azurerm_application_gateway |
Ensure Azure Application gateways listener that allow connection requests over HTTP |
Terraform |
AppGWUsesHttps.py |
2203 |
CKV_AZURE_218 |
resource |
Microsoft.Network/applicationGateways |
Ensure Application Gateway defines secure protocols for in transit communication |
arm |
AppGWDefinesSecureProtocols.py |
2204 |
CKV_AZURE_218 |
resource |
Microsoft.Network/applicationGateways |
Ensure Application Gateway defines secure protocols for in transit communication |
Bicep |
AppGWDefinesSecureProtocols.py |
2205 |
CKV_AZURE_218 |
resource |
azurerm_application_gateway |
Ensure Application Gateway defines secure protocols for in transit communication |
Terraform |
AppGWDefinesSecureProtocols.py |
2206 |
CKV_AZURE_219 |
resource |
azurerm_firewall |
Ensure Firewall defines a firewall policy |
Terraform |
AzureFirewallDefinesPolicy.py |
2207 |
CKV_AZURE_220 |
resource |
azurerm_firewall_policy |
Ensure Firewall policy has IDPS mode as deny |
Terraform |
AzureFirewallPolicyIDPSDeny.py |
2208 |
CKV_AZURE_221 |
resource |
azurerm_linux_function_app |
Ensure that Azure Function App public network access is disabled |
Terraform |
FunctionAppPublicAccessDisabled.py |
2209 |
CKV_AZURE_221 |
resource |
azurerm_linux_function_app_slot |
Ensure that Azure Function App public network access is disabled |
Terraform |
FunctionAppPublicAccessDisabled.py |
2210 |
CKV_AZURE_221 |
resource |
azurerm_windows_function_app |
Ensure that Azure Function App public network access is disabled |
Terraform |
FunctionAppPublicAccessDisabled.py |
2211 |
CKV_AZURE_221 |
resource |
azurerm_windows_function_app_slot |
Ensure that Azure Function App public network access is disabled |
Terraform |
FunctionAppPublicAccessDisabled.py |
2212 |
CKV_AZURE_222 |
resource |
Microsoft.Web/sites |
Ensure that Azure Web App public network access is disabled |
arm |
AppServicePublicAccessDisabled.py |
2213 |
CKV_AZURE_222 |
resource |
Microsoft.Web/sites |
Ensure that Azure Web App public network access is disabled |
Bicep |
AppServicePublicAccessDisabled.py |
2214 |
CKV_AZURE_222 |
resource |
Microsoft.Web/sites/config |
Ensure that Azure Web App public network access is disabled |
arm |
AppServicePublicAccessDisabled.py |
2215 |
CKV_AZURE_222 |
resource |
Microsoft.Web/sites/config |
Ensure that Azure Web App public network access is disabled |
Bicep |
AppServicePublicAccessDisabled.py |
2216 |
CKV_AZURE_222 |
resource |
Microsoft.Web/sites/slots |
Ensure that Azure Web App public network access is disabled |
arm |
AppServicePublicAccessDisabled.py |
2217 |
CKV_AZURE_222 |
resource |
Microsoft.Web/sites/slots |
Ensure that Azure Web App public network access is disabled |
Bicep |
AppServicePublicAccessDisabled.py |
2218 |
CKV_AZURE_222 |
resource |
azurerm_linux_web_app |
Ensure that Azure Web App public network access is disabled |
Terraform |
AppServicePublicAccessDisabled.py |
2219 |
CKV_AZURE_222 |
resource |
azurerm_windows_web_app |
Ensure that Azure Web App public network access is disabled |
Terraform |
AppServicePublicAccessDisabled.py |
2220 |
CKV_AZURE_223 |
resource |
Microsoft.EventHub/namespaces |
Ensure Event Hub Namespace uses at least TLS 1.2 |
arm |
EventHubNamespaceMinTLS12.py |
2221 |
CKV_AZURE_223 |
resource |
Microsoft.EventHub/namespaces |
Ensure Event Hub Namespace uses at least TLS 1.2 |
Bicep |
EventHubNamespaceMinTLS12.py |
2222 |
CKV_AZURE_223 |
resource |
azurerm_eventhub_namespace |
Ensure Event Hub Namespace uses at least TLS 1.2 |
Terraform |
EventHubNamespaceMinTLS12.py |
2223 |
CKV_AZURE_224 |
resource |
azurerm_mssql_database |
Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity |
Terraform |
SQLDatabaseLedgerEnabled.py |
2224 |
CKV_AZURE_225 |
resource |
Microsoft.Web/serverfarms |
Ensure the App Service Plan is zone redundant |
arm |
AppServicePlanZoneRedundant.py |
2225 |
CKV_AZURE_225 |
resource |
Microsoft.Web/serverfarms |
Ensure the App Service Plan is zone redundant |
Bicep |
AppServicePlanZoneRedundant.py |
2226 |
CKV_AZURE_225 |
resource |
azurerm_service_plan |
Ensure the App Service Plan is zone redundant |
Terraform |
AppServicePlanZoneRedundant.py |
2227 |
CKV_AZURE_226 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure ephemeral disks are used for OS disks |
arm |
AKSEphemeralOSDisks.py |
2228 |
CKV_AZURE_226 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure ephemeral disks are used for OS disks |
Bicep |
AKSEphemeralOSDisks.py |
2229 |
CKV_AZURE_226 |
resource |
azurerm_kubernetes_cluster |
Ensure ephemeral disks are used for OS disks |
Terraform |
AKSEphemeralOSDisks.py |
2230 |
CKV_AZURE_227 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources |
arm |
AKSEncryptionAtHostEnabled.py |
2231 |
CKV_AZURE_227 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources |
Bicep |
AKSEncryptionAtHostEnabled.py |
2232 |
CKV_AZURE_227 |
resource |
Microsoft.ContainerService/managedClusters/agentPools |
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources |
arm |
AKSEncryptionAtHostEnabled.py |
2233 |
CKV_AZURE_227 |
resource |
Microsoft.ContainerService/managedClusters/agentPools |
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources |
Bicep |
AKSEncryptionAtHostEnabled.py |
2234 |
CKV_AZURE_227 |
resource |
azurerm_kubernetes_cluster |
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources |
Terraform |
AKSEncryptionAtHostEnabled.py |
2235 |
CKV_AZURE_227 |
resource |
azurerm_kubernetes_cluster_node_pool |
Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources |
Terraform |
AKSEncryptionAtHostEnabled.py |
2236 |
CKV_AZURE_228 |
resource |
azurerm_eventhub_namespace |
Ensure the Azure Event Hub Namespace is zone redundant |
Terraform |
EventHubNamespaceZoneRedundant.py |
2237 |
CKV_AZURE_229 |
resource |
Microsoft.Sql/servers/databases |
Ensure the Azure SQL Database Namespace is zone redundant |
arm |
SQLDatabaseZoneRedundant.py |
2238 |
CKV_AZURE_229 |
resource |
Microsoft.Sql/servers/databases |
Ensure the Azure SQL Database Namespace is zone redundant |
Bicep |
SQLDatabaseZoneRedundant.py |
2239 |
CKV_AZURE_229 |
resource |
azurerm_mssql_database |
Ensure the Azure SQL Database Namespace is zone redundant |
Terraform |
SQLDatabaseZoneRedundant.py |
2240 |
CKV_AZURE_230 |
resource |
azurerm_redis_cache |
Standard Replication should be enabled |
Terraform |
RedisCacheStandardReplicationEnabled.py |
2241 |
CKV_AZURE_231 |
resource |
azurerm_app_service_environment_v3 |
Ensure App Service Environment is zone redundant |
Terraform |
AppServiceEnvironmentZoneRedundant.py |
2242 |
CKV_AZURE_232 |
resource |
azurerm_kubernetes_cluster |
Ensure that only critical system pods run on system nodes |
Terraform |
AKSOnlyCriticalPodsOnSystemNodes.py |
2243 |
CKV_AZURE_233 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure Azure Container Registry (ACR) is zone redundant |
arm |
ACREnableZoneRedundancy.py |
2244 |
CKV_AZURE_233 |
resource |
Microsoft.ContainerRegistry/registries |
Ensure Azure Container Registry (ACR) is zone redundant |
Bicep |
ACREnableZoneRedundancy.py |
2245 |
CKV_AZURE_233 |
resource |
Microsoft.ContainerRegistry/registries/replications |
Ensure Azure Container Registry (ACR) is zone redundant |
arm |
ACREnableZoneRedundancy.py |
2246 |
CKV_AZURE_233 |
resource |
Microsoft.ContainerRegistry/registries/replications |
Ensure Azure Container Registry (ACR) is zone redundant |
Bicep |
ACREnableZoneRedundancy.py |
2247 |
CKV_AZURE_233 |
resource |
azurerm_container_registry |
Ensure Azure Container Registry (ACR) is zone redundant |
Terraform |
ACREnableZoneRedundancy.py |
2248 |
CKV_AZURE_234 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender for cloud is set to On for Resource Manager |
Terraform |
AzureDefenderDisabledForResManager.py |
2249 |
CKV_AZURE_235 |
resource |
azurerm_container_group |
Ensure that Azure container environment variables are configured with secure values only |
Terraform |
AzureContainerInstanceEnvVarSecureValueType.py |
2250 |
CKV_AZURE_236 |
resource |
Microsoft.CognitiveServices/accounts |
Ensure that Cognitive Services accounts disable local authentication |
arm |
CognitiveServicesEnableLocalAuth.py |
2251 |
CKV_AZURE_236 |
resource |
Microsoft.CognitiveServices/accounts |
Ensure that Cognitive Services accounts disable local authentication |
Bicep |
CognitiveServicesEnableLocalAuth.py |
2252 |
CKV_AZURE_236 |
resource |
azurerm_cognitive_account |
Ensure that Cognitive Services accounts disable local authentication |
Terraform |
CognitiveServicesEnableLocalAuth.py |
2253 |
CKV_AZURE_237 |
resource |
azurerm_container_registry |
Ensure dedicated data endpoints are enabled. |
Terraform |
ACRDedicatedDataEndpointEnabled.py |
2254 |
CKV_AZURE_238 |
resource |
Microsoft.CognitiveServices/accounts |
Ensure that all Azure Cognitive Services accounts are configured with a managed identity |
arm |
CognitiveServicesConfigureIdentity.py |
2255 |
CKV_AZURE_238 |
resource |
Microsoft.CognitiveServices/accounts |
Ensure that all Azure Cognitive Services accounts are configured with a managed identity |
Bicep |
CognitiveServicesConfigureIdentity.py |
2256 |
CKV_AZURE_238 |
resource |
azurerm_cognitive_account |
Ensure that all Azure Cognitive Services accounts are configured with a managed identity |
Terraform |
CognitiveServicesConfigureIdentity.py |
2257 |
CKV_AZURE_239 |
resource |
Microsoft.Synapse/workspaces |
Ensure Azure Synapse Workspace administrator login password is not exposed |
arm |
SynapseWorkspaceAdministratorLoginPasswordHidden.py |
2258 |
CKV_AZURE_239 |
resource |
Microsoft.Synapse/workspaces |
Ensure Azure Synapse Workspace administrator login password is not exposed |
Bicep |
SynapseWorkspaceAdministratorLoginPasswordHidden.py |
2259 |
CKV_AZURE_239 |
resource |
azurerm_synapse_workspace |
Ensure Azure Synapse Workspace administrator login password is not exposed |
Terraform |
SynapseWorkspaceAdministratorLoginPasswordHidden.py |
2260 |
CKV_AZURE_240 |
resource |
Microsoft.Synapse/workspaces |
Ensure Azure Synapse Workspace is encrypted with a CMK |
arm |
SynapseWorkspaceCMKEncryption.py |
2261 |
CKV_AZURE_240 |
resource |
Microsoft.Synapse/workspaces |
Ensure Azure Synapse Workspace is encrypted with a CMK |
Bicep |
SynapseWorkspaceCMKEncryption.py |
2262 |
CKV_AZURE_240 |
resource |
azurerm_synapse_workspace |
Ensure Azure Synapse Workspace is encrypted with a CMK |
Terraform |
SynapseWorkspaceCMKEncryption.py |
2263 |
CKV_AZURE_241 |
resource |
azurerm_synapse_sql_pool |
Ensure Synapse SQL pools are encrypted |
Terraform |
SynapseSQLPoolDataEncryption.py |
2264 |
CKV_AZURE_242 |
resource |
Microsoft.Synapse/workspaces/bigDataPools |
Ensure isolated compute is enabled for Synapse Spark pools |
arm |
AzureSparkPoolIsolatedComputeEnabled.py |
2265 |
CKV_AZURE_242 |
resource |
Microsoft.Synapse/workspaces/bigDataPools |
Ensure isolated compute is enabled for Synapse Spark pools |
Bicep |
AzureSparkPoolIsolatedComputeEnabled.py |
2266 |
CKV_AZURE_242 |
resource |
azurerm_synapse_spark_pool |
Ensure isolated compute is enabled for Synapse Spark pools |
Terraform |
AzureSparkPoolIsolatedComputeEnabled.py |
2267 |
CKV_AZURE_243 |
resource |
Microsoft.MachineLearningServices/workspaces |
Ensure Azure Machine learning workspace is configured with private endpoint |
arm |
AzureMLWorkspacePrivateEndpoint.py |
2268 |
CKV_AZURE_243 |
resource |
Microsoft.MachineLearningServices/workspaces |
Ensure Azure Machine learning workspace is configured with private endpoint |
Bicep |
AzureMLWorkspacePrivateEndpoint.py |
2269 |
CKV_AZURE_244 |
resource |
azurerm_storage_account |
Avoid the use of local users for Azure Storage unless necessary |
Terraform |
StorageLocalUsers.py |
2270 |
CKV_AZURE_245 |
resource |
azurerm_container_group |
Ensure that Azure Container group is deployed into virtual network |
Terraform |
AzureContainerInstancePublicIPAddressType.py |
2271 |
CKV_AZURE_246 |
resource |
azurerm_kubernetes_cluster |
Ensure Azure AKS cluster HTTP application routing is disabled |
Terraform |
KubernetesClusterHTTPApplicationRouting.py |
2272 |
CKV2_AZURE_1 |
resource |
azurerm_storage_account |
Ensure storage for critical data are encrypted with Customer Managed Key |
Terraform |
StorageCriticalDataEncryptedCMK.yaml |
2273 |
CKV2_AZURE_2 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Terraform |
VAisEnabledInStorageAccount.yaml |
2274 |
CKV2_AZURE_2 |
resource |
azurerm_sql_server |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Terraform |
VAisEnabledInStorageAccount.yaml |
2275 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
VAsetPeriodicScansOnSQL.yaml |
2276 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
VAsetPeriodicScansOnSQL.yaml |
2277 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
VAsetPeriodicScansOnSQL.yaml |
2278 |
CKV2_AZURE_3 |
resource |
azurerm_sql_server |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
VAsetPeriodicScansOnSQL.yaml |
2279 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
VAconfiguredToSendReports.yaml |
2280 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
VAconfiguredToSendReports.yaml |
2281 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
VAconfiguredToSendReports.yaml |
2282 |
CKV2_AZURE_4 |
resource |
azurerm_sql_server |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
VAconfiguredToSendReports.yaml |
2283 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
VAconfiguredToSendReportsToAdmins.yaml |
2284 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
VAconfiguredToSendReportsToAdmins.yaml |
2285 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
VAconfiguredToSendReportsToAdmins.yaml |
2286 |
CKV2_AZURE_5 |
resource |
azurerm_sql_server |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
VAconfiguredToSendReportsToAdmins.yaml |
2287 |
CKV2_AZURE_6 |
resource |
azurerm_sql_firewall_rule |
Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled |
Terraform |
AccessToPostgreSQLFromAzureServicesIsDisabled.yaml |
2288 |
CKV2_AZURE_6 |
resource |
azurerm_sql_server |
Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled |
Terraform |
AccessToPostgreSQLFromAzureServicesIsDisabled.yaml |
2289 |
CKV2_AZURE_7 |
resource |
azurerm_sql_server |
Ensure that Azure Active Directory Admin is configured |
Terraform |
AzureActiveDirectoryAdminIsConfigured.yaml |
2290 |
CKV2_AZURE_8 |
resource |
azurerm_monitor_activity_log_alert |
Ensure the storage container storing the activity logs is not publicly accessible |
Terraform |
StorageContainerActivityLogsNotPublic.yaml |
2291 |
CKV2_AZURE_8 |
resource |
azurerm_storage_account |
Ensure the storage container storing the activity logs is not publicly accessible |
Terraform |
StorageContainerActivityLogsNotPublic.yaml |
2292 |
CKV2_AZURE_8 |
resource |
azurerm_storage_container |
Ensure the storage container storing the activity logs is not publicly accessible |
Terraform |
StorageContainerActivityLogsNotPublic.yaml |
2293 |
CKV2_AZURE_9 |
resource |
azurerm_virtual_machine |
Ensure Virtual Machines are utilizing Managed Disks |
Terraform |
VirtualMachinesUtilizingManagedDisks.yaml |
2294 |
CKV2_AZURE_10 |
resource |
azurerm_virtual_machine |
Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
Terraform |
AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml |
2295 |
CKV2_AZURE_10 |
resource |
azurerm_virtual_machine_extension |
Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
Terraform |
AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml |
2296 |
CKV2_AZURE_11 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer encryption at rest uses a customer-managed key |
Terraform |
DataExplorerEncryptionUsesCustomKey.yaml |
2297 |
CKV2_AZURE_12 |
resource |
azurerm_virtual_machine |
Ensure that virtual machines are backed up using Azure Backup |
Terraform |
VMHasBackUpMachine.yaml |
2298 |
CKV2_AZURE_13 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that sql servers enables data security policy |
Terraform |
AzureMSSQLServerHasSecurityAlertPolicy.yaml |
2299 |
CKV2_AZURE_13 |
resource |
azurerm_sql_server |
Ensure that sql servers enables data security policy |
Terraform |
AzureMSSQLServerHasSecurityAlertPolicy.yaml |
2300 |
CKV2_AZURE_14 |
resource |
azurerm_managed_disk |
Ensure that Unattached disks are encrypted |
Terraform |
AzureUnattachedDisksAreEncrypted.yaml |
2301 |
CKV2_AZURE_14 |
resource |
azurerm_virtual_machine |
Ensure that Unattached disks are encrypted |
Terraform |
AzureUnattachedDisksAreEncrypted.yaml |
2302 |
CKV2_AZURE_15 |
resource |
azurerm_data_factory |
Ensure that Azure data factories are encrypted with a customer-managed key |
Terraform |
AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml |
2303 |
CKV2_AZURE_16 |
resource |
azurerm_mysql_server |
Ensure that MySQL server enables customer-managed key for encryption |
Terraform |
MSQLenablesCustomerManagedKey.yaml |
2304 |
CKV2_AZURE_16 |
resource |
azurerm_mysql_server_key |
Ensure that MySQL server enables customer-managed key for encryption |
Terraform |
MSQLenablesCustomerManagedKey.yaml |
2305 |
CKV2_AZURE_17 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables customer-managed key for encryption |
Terraform |
PGSQLenablesCustomerManagedKey.yaml |
2306 |
CKV2_AZURE_17 |
resource |
azurerm_postgresql_server_key |
Ensure that PostgreSQL server enables customer-managed key for encryption |
Terraform |
PGSQLenablesCustomerManagedKey.yaml |
2307 |
CKV2_AZURE_19 |
resource |
Microsoft.Synapse/workspaces |
Ensure that Azure Synapse workspaces have no IP firewall rules attached |
arm |
AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py |
2308 |
CKV2_AZURE_19 |
resource |
Microsoft.Synapse/workspaces |
Ensure that Azure Synapse workspaces have no IP firewall rules attached |
Bicep |
AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py |
2309 |
CKV2_AZURE_19 |
resource |
azurerm_synapse_workspace |
Ensure that Azure Synapse workspaces have no IP firewall rules attached |
Terraform |
AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml |
2310 |
CKV2_AZURE_20 |
resource |
azurerm_log_analytics_storage_insights |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
StorageLoggingIsEnabledForTableService.yaml |
2311 |
CKV2_AZURE_20 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
StorageLoggingIsEnabledForTableService.yaml |
2312 |
CKV2_AZURE_20 |
resource |
azurerm_storage_table |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
StorageLoggingIsEnabledForTableService.yaml |
2313 |
CKV2_AZURE_21 |
resource |
azurerm_log_analytics_storage_insights |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
StorageLoggingIsEnabledForBlobService.yaml |
2314 |
CKV2_AZURE_21 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
StorageLoggingIsEnabledForBlobService.yaml |
2315 |
CKV2_AZURE_21 |
resource |
azurerm_storage_container |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
StorageLoggingIsEnabledForBlobService.yaml |
2316 |
CKV2_AZURE_22 |
resource |
azurerm_cognitive_account |
Ensure that Cognitive Services enables customer-managed key for encryption |
Terraform |
CognitiveServicesCustomerManagedKey.yaml |
2317 |
CKV2_AZURE_22 |
resource |
azurerm_cognitive_account_customer_managed_key |
Ensure that Cognitive Services enables customer-managed key for encryption |
Terraform |
CognitiveServicesCustomerManagedKey.yaml |
2318 |
CKV2_AZURE_23 |
resource |
Microsoft.AppPlatform/Spring |
Ensure Azure spring cloud is configured with Virtual network (Vnet) |
arm |
AzureSpringCloudConfigWithVnet.yaml |
2319 |
CKV2_AZURE_23 |
resource |
azurerm_spring_cloud_service |
Ensure Azure spring cloud is configured with Virtual network (Vnet) |
Terraform |
AzureSpringCloudConfigWithVnet.yaml |
2320 |
CKV2_AZURE_24 |
resource |
azurerm_automation_account |
Ensure Azure automation account does NOT have overly permissive network access |
Terraform |
AzureAutomationAccNotOverlyPermissiveNetAccess.yaml |
2321 |
CKV2_AZURE_25 |
resource |
azurerm_mssql_database |
Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled |
Terraform |
AzureSqlDbEnableTransparentDataEncryption.yaml |
2322 |
CKV2_AZURE_26 |
resource |
azurerm_postgresql_flexible_server_firewall_rule |
Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access |
Terraform |
AzurePostgreSQLFlexServerNotOverlyPermissive.yaml |
2323 |
CKV2_AZURE_27 |
resource |
Microsoft.Sql/servers |
Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) |
arm |
SQLServerUsesADAuth.py |
2324 |
CKV2_AZURE_27 |
resource |
Microsoft.Sql/servers |
Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) |
Bicep |
SQLServerUsesADAuth.py |
2325 |
CKV2_AZURE_27 |
resource |
azurerm_mssql_server |
Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) |
Terraform |
AzureConfigMSSQLwithAD.yaml |
2326 |
CKV2_AZURE_28 |
resource |
azurerm_container_group |
Ensure Container Instance is configured with managed identity |
Terraform |
AzureContainerInstanceconfigManagedIdentity.yaml |
2327 |
CKV2_AZURE_29 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster has Azure CNI networking enabled |
Terraform |
AzureAKSclusterAzureCNIEnabled.yaml |
2328 |
CKV2_AZURE_30 |
resource |
azurerm_container_registry_webhook |
Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook |
Terraform |
AzureACR_HTTPSwebhook.yaml |
2329 |
CKV2_AZURE_31 |
resource |
azurerm_subnet |
Ensure VNET subnet is configured with a Network Security Group (NSG) |
Terraform |
AzureSubnetConfigWithNSG.yaml |
2330 |
CKV2_AZURE_32 |
resource |
azurerm_key_vault |
Ensure private endpoint is configured to key vault |
Terraform |
AzureKeyVaultConfigPrivateEndpoint.yaml |
2331 |
CKV2_AZURE_33 |
resource |
azurerm_storage_account |
Ensure storage account is configured with private endpoint |
Terraform |
AzureStorageAccConfigWithPrivateEndpoint.yaml |
2332 |
CKV2_AZURE_34 |
resource |
azurerm_sql_firewall_rule |
Ensure Azure SQL server firewall is not overly permissive |
Terraform |
AzureSQLserverNotOverlyPermissive.yaml |
2333 |
CKV2_AZURE_35 |
resource |
azurerm_recovery_services_vault |
Ensure Azure recovery services vault is configured with managed identity |
Terraform |
AzureRecoveryServicesvaultConfigManagedIdentity.yaml |
2334 |
CKV2_AZURE_36 |
resource |
azurerm_automation_account |
Ensure Azure automation account is configured with managed identity |
Terraform |
AzureAutomationAccConfigManagedIdentity.yaml |
2335 |
CKV2_AZURE_37 |
resource |
azurerm_mariadb_server |
Ensure Azure MariaDB server is using latest TLS (1.2) |
Terraform |
AzureMariaDBserverUsingTLS_1_2.yaml |
2336 |
CKV2_AZURE_38 |
resource |
azurerm_storage_account |
Ensure soft-delete is enabled on Azure storage account |
Terraform |
AzureStorageAccountEnableSoftDelete.yaml |
2337 |
CKV2_AZURE_39 |
resource |
azurerm_linux_virtual_machine |
Ensure Azure VM is not configured with public IP and serial console access |
Terraform |
AzureVMconfigPublicIP_SerialConsoleAccess.yaml |
2338 |
CKV2_AZURE_39 |
resource |
azurerm_network_interface |
Ensure Azure VM is not configured with public IP and serial console access |
Terraform |
AzureVMconfigPublicIP_SerialConsoleAccess.yaml |
2339 |
CKV2_AZURE_39 |
resource |
azurerm_virtual_machine |
Ensure Azure VM is not configured with public IP and serial console access |
Terraform |
AzureVMconfigPublicIP_SerialConsoleAccess.yaml |
2340 |
CKV2_AZURE_39 |
resource |
azurerm_windows_virtual_machine |
Ensure Azure VM is not configured with public IP and serial console access |
Terraform |
AzureVMconfigPublicIP_SerialConsoleAccess.yaml |
2341 |
CKV2_AZURE_40 |
resource |
azurerm_storage_account |
Ensure storage account is not configured with Shared Key authorization |
Terraform |
AzureStorageAccConfigSharedKeyAuth.yaml |
2342 |
CKV2_AZURE_41 |
resource |
azurerm_storage_account |
Ensure storage account is configured with SAS expiration policy |
Terraform |
AzureStorageAccConfig_SAS_expirePolicy.yaml |
2343 |
CKV2_AZURE_42 |
resource |
azurerm_postgresql_server |
Ensure Azure PostgreSQL server is configured with private endpoint |
Terraform |
AzurePostgreSQLserverConfigPrivEndpt.yaml |
2344 |
CKV2_AZURE_43 |
resource |
azurerm_mariadb_server |
Ensure Azure MariaDB server is configured with private endpoint |
Terraform |
AzureMariaDBserverConfigPrivEndpt.yaml |
2345 |
CKV2_AZURE_44 |
resource |
azurerm_mysql_server |
Ensure Azure MySQL server is configured with private endpoint |
Terraform |
AzureMySQLserverConfigPrivEndpt.yaml |
2346 |
CKV2_AZURE_45 |
resource |
azurerm_mssql_server |
Ensure Microsoft SQL server is configured with private endpoint |
Terraform |
AzureMSSQLserverConfigPrivEndpt.yaml |
2347 |
CKV2_AZURE_46 |
resource |
Microsoft.Synapse/workspaces/vulnerabilityAssessments |
Ensure that Azure Synapse Workspace vulnerability assessment is enabled |
arm |
AzureSynapseWorkspaceVAisEnabled.py |
2348 |
CKV2_AZURE_46 |
resource |
Microsoft.Synapse/workspaces/vulnerabilityAssessments |
Ensure that Azure Synapse Workspace vulnerability assessment is enabled |
Bicep |
AzureSynapseWorkspaceVAisEnabled.py |
2349 |
CKV2_AZURE_46 |
resource |
azurerm_synapse_workspace_security_alert_policy |
Ensure that Azure Synapse Workspace vulnerability assessment is enabled |
Terraform |
AzureSynapseWorkspaceVAisEnabled.yaml |
2350 |
CKV2_AZURE_46 |
resource |
azurerm_synapse_workspace_vulnerability_assessment |
Ensure that Azure Synapse Workspace vulnerability assessment is enabled |
Terraform |
AzureSynapseWorkspaceVAisEnabled.yaml |
2351 |
CKV2_AZURE_47 |
resource |
azurerm_storage_account |
Ensure storage account is configured without blob anonymous access |
Terraform |
AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml |
2352 |
CKV2_AZURE_48 |
resource |
Microsoft.Databricks/workspaces |
Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption |
arm |
DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py |
2353 |
CKV2_AZURE_48 |
resource |
Microsoft.Databricks/workspaces |
Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption |
Bicep |
DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py |
2354 |
CKV2_AZURE_48 |
resource |
azurerm_databricks_workspace |
Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption |
Terraform |
DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml |
2355 |
CKV2_AZURE_49 |
resource |
Microsoft.MachineLearningServices/workspaces |
Ensure that Azure Machine learning workspace is not configured with overly permissive network access |
arm |
AzureMLWorkspacePublicNetwork.yaml |
2356 |
CKV2_AZURE_49 |
resource |
azurerm_machine_learning_workspace |
Ensure that Azure Machine learning workspace is not configured with overly permissive network access |
Terraform |
AzureMLWorkspacePublicNetwork.yaml |
2357 |
CKV2_AZURE_50 |
resource |
azurerm_machine_learning_workspace |
Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible |
Terraform |
AzureMLWorkspaceHBIPublicNetwork.yaml |
2358 |
CKV2_AZURE_50 |
resource |
azurerm_storage_account |
Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible |
Terraform |
AzureMLWorkspaceHBIPublicNetwork.yaml |
2359 |
CKV2_AZURE_51 |
resource |
Microsoft.Sql/servers/securityAlertPolicies |
Ensure Synapse SQL Pool has a security alert policy |
arm |
SynapseSQLPoolHasSecurityAlertPolicy.yaml |
2360 |
CKV2_AZURE_51 |
resource |
Microsoft.Synapse/workspaces/sqlPools |
Ensure Synapse SQL Pool has a security alert policy |
arm |
SynapseSQLPoolHasSecurityAlertPolicy.yaml |
2361 |
CKV2_AZURE_51 |
resource |
azurerm_synapse_sql_pool |
Ensure Synapse SQL Pool has a security alert policy |
Terraform |
SynapseSQLPoolHasSecurityAlertPolicy.yaml |
2362 |
CKV2_AZURE_51 |
resource |
azurerm_synapse_sql_pool_security_alert_policy |
Ensure Synapse SQL Pool has a security alert policy |
Terraform |
SynapseSQLPoolHasSecurityAlertPolicy.yaml |
2363 |
CKV2_AZURE_52 |
resource |
Microsoft.Sql/servers/securityAlertPolicies |
Ensure Synapse SQL Pool has vulnerability assessment attached |
arm |
SynapseSQLPoolHasVulnerabilityAssessment.yaml |
2364 |
CKV2_AZURE_52 |
resource |
Microsoft.Sql/servers/vulnerabilityAssessments |
Ensure Synapse SQL Pool has vulnerability assessment attached |
arm |
SynapseSQLPoolHasVulnerabilityAssessment.yaml |
2365 |
CKV2_AZURE_52 |
resource |
Microsoft.Synapse/workspaces/sqlPools |
Ensure Synapse SQL Pool has vulnerability assessment attached |
arm |
SynapseSQLPoolHasVulnerabilityAssessment.yaml |
2366 |
CKV2_AZURE_52 |
resource |
azurerm_synapse_sql_pool |
Ensure Synapse SQL Pool has vulnerability assessment attached |
Terraform |
SynapseSQLPoolHasVulnerabilityAssessment.yaml |
2367 |
CKV2_AZURE_52 |
resource |
azurerm_synapse_sql_pool_security_alert_policy |
Ensure Synapse SQL Pool has vulnerability assessment attached |
Terraform |
SynapseSQLPoolHasVulnerabilityAssessment.yaml |
2368 |
CKV2_AZURE_52 |
resource |
azurerm_synapse_sql_pool_vulnerability_assessment |
Ensure Synapse SQL Pool has vulnerability assessment attached |
Terraform |
SynapseSQLPoolHasVulnerabilityAssessment.yaml |
2369 |
CKV2_AZURE_53 |
resource |
Microsoft.Synapse/workspaces |
Ensure Azure Synapse Workspace has extended audit logs |
arm |
SynapseWorkspaceHasExtendedAuditLogs.yaml |
2370 |
CKV2_AZURE_53 |
resource |
Microsoft.Synapse/workspaces/extendedAuditingPolicies |
Ensure Azure Synapse Workspace has extended audit logs |
arm |
SynapseWorkspaceHasExtendedAuditLogs.yaml |
2371 |
CKV2_AZURE_53 |
resource |
azurerm_synapse_workspace |
Ensure Azure Synapse Workspace has extended audit logs |
Terraform |
SynapseWorkspaceHasExtendedAuditLogs.yaml |
2372 |
CKV2_AZURE_54 |
resource |
Microsoft.Synapse/workspaces/sqlPools |
Ensure log monitoring is enabled for Synapse SQL Pool |
arm |
SynapseLogMonitoringEnabledForSQLPool.yaml |
2373 |
CKV2_AZURE_54 |
resource |
Microsoft.Synapse/workspaces/sqlPools/auditingSettings |
Ensure log monitoring is enabled for Synapse SQL Pool |
arm |
SynapseLogMonitoringEnabledForSQLPool.yaml |
2374 |
CKV2_AZURE_54 |
resource |
azurerm_synapse_sql_pool |
Ensure log monitoring is enabled for Synapse SQL Pool |
Terraform |
SynapseLogMonitoringEnabledForSQLPool.yaml |
2375 |
CKV2_AZURE_54 |
resource |
azurerm_synapse_sql_pool_extended_auditing_policy |
Ensure log monitoring is enabled for Synapse SQL Pool |
Terraform |
SynapseLogMonitoringEnabledForSQLPool.yaml |
2376 |
CKV2_AZURE_55 |
resource |
azurerm_spring_cloud_app |
Ensure Azure Spring Cloud app end-to-end TLS is enabled |
Terraform |
AzureSpringCloudTLSDisabled.yaml |
2377 |
CKV2_AZURE_55 |
resource |
azurerm_spring_cloud_service |
Ensure Azure Spring Cloud app end-to-end TLS is enabled |
Terraform |
AzureSpringCloudTLSDisabled.yaml |
2378 |
CKV_AZUREPIPELINES_1 |
azure_pipelines |
jobs |
Ensure container job uses a non latest version tag |
Azure Pipelines |
ContainerLatestTag.py |
2379 |
CKV_AZUREPIPELINES_1 |
azure_pipelines |
stages[].jobs[] |
Ensure container job uses a non latest version tag |
Azure Pipelines |
ContainerLatestTag.py |
2380 |
CKV_AZUREPIPELINES_2 |
azure_pipelines |
jobs |
Ensure container job uses a version digest |
Azure Pipelines |
ContainerDigest.py |
2381 |
CKV_AZUREPIPELINES_2 |
azure_pipelines |
stages[].jobs[] |
Ensure container job uses a version digest |
Azure Pipelines |
ContainerDigest.py |
2382 |
CKV_AZUREPIPELINES_3 |
azure_pipelines |
jobs[].steps[] |
Ensure set variable is not marked as a secret |
Azure Pipelines |
SetSecretVariable.py |
2383 |
CKV_AZUREPIPELINES_3 |
azure_pipelines |
stages[].jobs[].steps[] |
Ensure set variable is not marked as a secret |
Azure Pipelines |
SetSecretVariable.py |
2384 |
CKV_AZUREPIPELINES_5 |
azure_pipelines |
*.container[] |
Detecting image usages in azure pipelines workflows |
Azure Pipelines |
DetectImagesUsage.py |
2385 |
CKV_AZUREPIPELINES_5 |
azure_pipelines |
jobs[] |
Detecting image usages in azure pipelines workflows |
Azure Pipelines |
DetectImagesUsage.py |
2386 |
CKV_AZUREPIPELINES_5 |
azure_pipelines |
stages[].jobs[] |
Detecting image usages in azure pipelines workflows |
Azure Pipelines |
DetectImagesUsage.py |
2387 |
CKV_BCW_1 |
provider |
bridgecrew |
Ensure no hard coded API token exist in the provider |
Terraform |
credentials.py |
2388 |
CKV_BITBUCKET_1 |
bitbucket_configuration |
* |
Merge requests should require at least 2 approvals |
bitbucket_configuration |
merge_requests_approvals.py |
2389 |
CKV_BITBUCKETPIPELINES_1 |
bitbucket_pipelines |
[{image:image,startline:startline,endline:endline}] |
Ensure the pipeline image uses a non latest version tag |
bitbucket_pipelines |
latest_image.py |
2390 |
CKV_BITBUCKETPIPELINES_1 |
bitbucket_pipelines |
pipelines..[][][][].step.{image: image, startline: startline, endline:endline} |
Ensure the pipeline image uses a non latest version tag |
bitbucket_pipelines |
latest_image.py |
2391 |
CKV_BITBUCKETPIPELINES_1 |
bitbucket_pipelines |
pipelines.default[].step.{image: image, startline: startline, endline:endline} |
Ensure the pipeline image uses a non latest version tag |
bitbucket_pipelines |
latest_image.py |
2392 |
CKV_CIRCLECIPIPELINES_1 |
circleci_pipelines |
jobs.*.docker[].{image: image, startline: startline, endline:endline} |
Ensure the pipeline image uses a non latest version tag |
circleci_pipelines |
latest_image.py |
2393 |
CKV_CIRCLECIPIPELINES_2 |
circleci_pipelines |
jobs.*.docker[].{image: image, startline: startline, endline:endline} |
Ensure the pipeline image version is referenced via hash not arbitrary tag. |
circleci_pipelines |
image_version_not_hash.py |
2394 |
CKV_CIRCLECIPIPELINES_3 |
circleci_pipelines |
orbs.{orbs: @} |
Ensure mutable development orbs are not used. |
circleci_pipelines |
prevent_development_orbs.py |
2395 |
CKV_CIRCLECIPIPELINES_4 |
circleci_pipelines |
orbs.{orbs: @} |
Ensure unversioned volatile orbs are not used. |
circleci_pipelines |
prevent_volatile_orbs.py |
2396 |
CKV_CIRCLECIPIPELINES_5 |
circleci_pipelines |
jobs.*.steps[] |
Suspicious use of netcat with IP address |
circleci_pipelines |
ReverseShellNetcat.py |
2397 |
CKV_CIRCLECIPIPELINES_6 |
circleci_pipelines |
jobs.*.steps[] |
Ensure run commands are not vulnerable to shell injection |
circleci_pipelines |
ShellInjection.py |
2398 |
CKV_CIRCLECIPIPELINES_7 |
circleci_pipelines |
jobs.*.steps[] |
Suspicious use of curl in run task |
circleci_pipelines |
SuspectCurlInScript.py |
2399 |
CKV_CIRCLECIPIPELINES_8 |
circleci_pipelines |
executors.*.docker[].{image: image, startline: startline, endline:endline} |
Detecting image usages in circleci pipelines |
circleci_pipelines |
DetectImagesUsage.py |
2400 |
CKV_CIRCLECIPIPELINES_8 |
circleci_pipelines |
jobs.*.docker[].{image: image, startline: startline, endline:endline} |
Detecting image usages in circleci pipelines |
circleci_pipelines |
DetectImagesUsage.py |
2401 |
CKV_DIO_1 |
resource |
digitalocean_spaces_bucket |
Ensure the Spaces bucket has versioning enabled |
Terraform |
SpacesBucketVersioning.py |
2402 |
CKV_DIO_2 |
resource |
digitalocean_droplet |
Ensure the droplet specifies an SSH key |
Terraform |
DropletSSHKeys.py |
2403 |
CKV_DIO_3 |
resource |
digitalocean_spaces_bucket |
Ensure the Spaces bucket is private |
Terraform |
SpacesBucketPublicRead.py |
2404 |
CKV_DIO_4 |
resource |
digitalocean_firewall |
Ensure the firewall ingress is not wide open |
Terraform |
FirewallIngressOpen.py |
2405 |
CKV_DOCKER_1 |
dockerfile |
EXPOSE |
Ensure port 22 is not exposed |
dockerfile |
ExposePort22.py |
2406 |
CKV_DOCKER_2 |
dockerfile |
* |
Ensure that HEALTHCHECK instructions have been added to container images |
|