| 0 |
CKV_AWS_1 |
data |
aws_iam_policy_document |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 1 |
CKV_AWS_1 |
resource |
serverless_aws |
Ensure IAM policies that allow full “-” administrative privileges are not created |
serverless |
| 2 |
CKV_AWS_2 |
resource |
aws_lb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
| 3 |
CKV_AWS_2 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure ALB protocol is HTTPS |
Cloudformation |
| 4 |
CKV_AWS_3 |
resource |
aws_ebs_volume |
Ensure all data stored in the EBS is securely encrypted |
Terraform |
| 5 |
CKV_AWS_3 |
resource |
AWS::EC2::Volume |
Ensure all data stored in the EBS is securely encrypted |
Cloudformation |
| 6 |
CKV_AWS_5 |
resource |
aws_elasticsearch_domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Terraform |
| 7 |
CKV_AWS_5 |
resource |
AWS::Elasticsearch::Domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Cloudformation |
| 8 |
CKV_AWS_6 |
resource |
aws_elasticsearch_domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Terraform |
| 9 |
CKV_AWS_6 |
resource |
AWS::Elasticsearch::Domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Cloudformation |
| 10 |
CKV_AWS_7 |
resource |
aws_kms_key |
Ensure rotation for customer created CMKs is enabled |
Terraform |
| 11 |
CKV_AWS_7 |
resource |
AWS::KMS::Key |
Ensure rotation for customer created CMKs is enabled |
Cloudformation |
| 12 |
CKV_AWS_8 |
resource |
aws_instance |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Terraform |
| 13 |
CKV_AWS_8 |
resource |
aws_launch_configuration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Terraform |
| 14 |
CKV_AWS_8 |
resource |
AWS::AutoScaling::LaunchConfiguration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Cloudformation |
| 15 |
CKV_AWS_9 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy expires passwords within 90 days or less |
Terraform |
| 16 |
CKV_AWS_10 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires minimum length of 14 or greater |
Terraform |
| 17 |
CKV_AWS_11 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one lowercase letter |
Terraform |
| 18 |
CKV_AWS_12 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one number |
Terraform |
| 19 |
CKV_AWS_13 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy prevents password reuse |
Terraform |
| 20 |
CKV_AWS_14 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one symbol |
Terraform |
| 21 |
CKV_AWS_15 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one uppercase letter |
Terraform |
| 22 |
CKV_AWS_16 |
resource |
aws_db_instance |
Ensure all data stored in the RDS is securely encrypted at rest |
Terraform |
| 23 |
CKV_AWS_16 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS is securely encrypted at rest |
Cloudformation |
| 24 |
CKV_AWS_17 |
resource |
aws_db_instance |
Ensure all data stored in RDS is not publicly accessible |
Terraform |
| 25 |
CKV_AWS_17 |
resource |
aws_rds_cluster_instance |
Ensure all data stored in RDS is not publicly accessible |
Terraform |
| 26 |
CKV_AWS_17 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in RDS is not publicly accessible |
Cloudformation |
| 27 |
CKV_AWS_18 |
resource |
aws_s3_bucket |
Ensure the S3 bucket has access logging enabled |
Terraform |
| 28 |
CKV_AWS_18 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has access logging enabled |
Cloudformation |
| 29 |
CKV_AWS_19 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
Terraform |
| 30 |
CKV_AWS_19 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has server-side-encryption enabled |
Cloudformation |
| 31 |
CKV_AWS_20 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public READ access. |
Terraform |
| 32 |
CKV_AWS_20 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow READ permissions to everyone |
Cloudformation |
| 33 |
CKV_AWS_21 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket have versioning enabled |
Terraform |
| 34 |
CKV_AWS_21 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has versioning enabled |
Cloudformation |
| 35 |
CKV_AWS_22 |
resource |
aws_sagemaker_notebook_instance |
Ensure SageMaker Notebook is encrypted at rest using KMS CMK |
Terraform |
| 36 |
CKV_AWS_23 |
resource |
aws_security_group |
Ensure every security groups rule has a description |
Terraform |
| 37 |
CKV_AWS_23 |
resource |
aws_security_group_rule |
Ensure every security groups rule has a description |
Terraform |
| 38 |
CKV_AWS_23 |
resource |
aws_db_security_group |
Ensure every security groups rule has a description |
Terraform |
| 39 |
CKV_AWS_23 |
resource |
aws_elasticache_security_group |
Ensure every security groups rule has a description |
Terraform |
| 40 |
CKV_AWS_23 |
resource |
aws_redshift_security_group |
Ensure every security groups rule has a description |
Terraform |
| 41 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroup |
Ensure every security groups rule has a description |
Cloudformation |
| 42 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure every security groups rule has a description |
Cloudformation |
| 43 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupEgress |
Ensure every security groups rule has a description |
Cloudformation |
| 44 |
CKV_AWS_24 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
| 45 |
CKV_AWS_24 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
| 46 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
| 47 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
| 48 |
CKV_AWS_25 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
| 49 |
CKV_AWS_25 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
| 50 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
| 51 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
| 52 |
CKV_AWS_26 |
resource |
aws_sns_topic |
Ensure all data stored in the SNS topic is encrypted |
Terraform |
| 53 |
CKV_AWS_26 |
resource |
AWS::SNS::Topic |
Ensure all data stored in the SNS topic is encrypted |
Cloudformation |
| 54 |
CKV_AWS_27 |
resource |
aws_sqs_queue |
Ensure all data stored in the SQS queue is encrypted |
Terraform |
| 55 |
CKV_AWS_27 |
resource |
AWS::SQS::Queue |
Ensure all data stored in the SQS queue is encrypted |
Cloudformation |
| 56 |
CKV_AWS_28 |
resource |
aws_dynamodb_table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Terraform |
| 57 |
CKV_AWS_28 |
resource |
AWS::DynamoDB::Table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Cloudformation |
| 58 |
CKV_AWS_29 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Terraform |
| 59 |
CKV_AWS_29 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Cloudformation |
| 60 |
CKV_AWS_30 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Terraform |
| 61 |
CKV_AWS_30 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Cloudformation |
| 62 |
CKV_AWS_31 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Terraform |
| 63 |
CKV_AWS_31 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Cloudformation |
| 64 |
CKV_AWS_32 |
resource |
aws_ecr_repository_policy |
Ensure ECR policy is not set to public |
Terraform |
| 65 |
CKV_AWS_32 |
resource |
AWS::ECR::Repository |
Ensure ECR policy is not set to public |
Cloudformation |
| 66 |
CKV_AWS_33 |
resource |
aws_kms_key |
Ensure KMS key policy does not contain wildcard (*) principal |
Terraform |
| 67 |
CKV_AWS_33 |
resource |
AWS::KMS::Key |
Ensure KMS key policy does not contain wildcard (*) principal |
Cloudformation |
| 68 |
CKV_AWS_34 |
resource |
aws_cloudfront_distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Terraform |
| 69 |
CKV_AWS_34 |
resource |
AWS::CloudFront::Distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Cloudformation |
| 70 |
CKV_AWS_35 |
resource |
aws_cloudtrail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Terraform |
| 71 |
CKV_AWS_35 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Cloudformation |
| 72 |
CKV_AWS_36 |
resource |
aws_cloudtrail |
Ensure CloudTrail log file validation is enabled |
Terraform |
| 73 |
CKV_AWS_36 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail log file validation is enabled |
Cloudformation |
| 74 |
CKV_AWS_37 |
resource |
aws_eks_cluster |
Ensure Amazon EKS control plane logging enabled for all log types |
Terraform |
| 75 |
CKV_AWS_38 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 |
Terraform |
| 76 |
CKV_AWS_39 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint disabled |
Terraform |
| 77 |
CKV_AWS_40 |
resource |
aws_iam_user_policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
| 78 |
CKV_AWS_40 |
resource |
aws_iam_user_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
| 79 |
CKV_AWS_40 |
resource |
aws_iam_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
| 80 |
CKV_AWS_40 |
resource |
AWS::IAM::Policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Cloudformation |
| 81 |
CKV_AWS_41 |
provider |
aws |
Ensure no hard coded AWS access key and secret key exists in provider |
Terraform |
| 82 |
CKV_AWS_41 |
resource |
serverless_aws |
Ensure no hard coded AWS access key and secret key exists in provider |
serverless |
| 83 |
CKV_AWS_42 |
resource |
aws_efs_file_system |
Ensure EFS is securely encrypted |
Terraform |
| 84 |
CKV_AWS_42 |
resource |
AWS::EFS::FileSystem |
Ensure EFS is securely encrypted |
Cloudformation |
| 85 |
CKV_AWS_43 |
resource |
aws_kinesis_stream |
Ensure Kinesis Stream is securely encrypted |
Terraform |
| 86 |
CKV_AWS_43 |
resource |
AWS::Kinesis::Stream |
Ensure Kinesis Stream is securely encrypted |
Cloudformation |
| 87 |
CKV_AWS_44 |
resource |
aws_neptune_cluster |
Ensure Neptune storage is securely encrypted |
Terraform |
| 88 |
CKV_AWS_44 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune storage is securely encrypted |
Cloudformation |
| 89 |
CKV_AWS_45 |
resource |
aws_lambda_function |
Ensure no hard-coded secrets exist in lambda environment |
Terraform |
| 90 |
CKV_AWS_45 |
resource |
AWS::Lambda::Function |
Ensure no hard-coded secrets exist in lambda environment |
Cloudformation |
| 91 |
CKV_AWS_46 |
resource |
aws_instance |
Ensure no hard-coded secrets exist in EC2 user data |
Terraform |
| 92 |
CKV_AWS_46 |
resource |
AWS::EC2::Instance |
Ensure no hard-coded secrets exist in EC2 user data |
Cloudformation |
| 93 |
CKV_AWS_47 |
resource |
aws_dax_cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Terraform |
| 94 |
CKV_AWS_47 |
resource |
AWS::DAX::Cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Cloudformation |
| 95 |
CKV_AWS_48 |
resource |
aws_mq_broker |
Ensure MQ Broker logging is enabled |
Terraform |
| 96 |
CKV_AWS_49 |
data |
aws_iam_policy_document |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 97 |
CKV_AWS_49 |
resource |
serverless_aws |
Ensure no IAM policies documents allow “*” as a statement’s actions |
serverless |
| 98 |
CKV_AWS_50 |
resource |
aws_lambda_function |
X-ray tracing is enabled for Lambda |
Terraform |
| 99 |
CKV_AWS_51 |
resource |
aws_ecr_repository |
Ensure ECR Image Tags are immutable |
Terraform |
| 100 |
CKV_AWS_51 |
resource |
AWS::ECR::Repository |
Ensure ECR Image Tags are immutable |
Cloudformation |
| 101 |
CKV_AWS_53 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public ACLS enabled |
Terraform |
| 102 |
CKV_AWS_53 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public ACLS enabled |
Cloudformation |
| 103 |
CKV_AWS_54 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public policy enabled |
Terraform |
| 104 |
CKV_AWS_54 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public policy enabled |
Cloudformation |
| 105 |
CKV_AWS_55 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ignore public ACLs enabled |
Terraform |
| 106 |
CKV_AWS_55 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ignore public ACLs enabled |
Cloudformation |
| 107 |
CKV_AWS_56 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ‘restrict_public_bucket’ enabled |
Terraform |
| 108 |
CKV_AWS_56 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ‘restrict_public_bucket’ enabled |
Cloudformation |
| 109 |
CKV_AWS_57 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public WRITE access. |
Terraform |
| 110 |
CKV_AWS_57 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow WRITE permissions to everyone |
Cloudformation |
| 111 |
CKV_AWS_58 |
resource |
aws_eks_cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Terraform |
| 112 |
CKV_AWS_58 |
resource |
AWS::EKS::Cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Cloudformation |
| 113 |
CKV_AWS_59 |
resource |
aws_api_gateway_method |
Ensure there is no open access to back-end resources through API |
Terraform |
| 114 |
CKV_AWS_59 |
resource |
AWS::ApiGateway::Method |
Ensure there is no open access to back-end resources through API |
Cloudformation |
| 115 |
CKV_AWS_60 |
resource |
aws_iam_role |
Ensure IAM role allows only specific services or principals to assume it |
Terraform |
| 116 |
CKV_AWS_60 |
resource |
AWS::IAM::Role |
Ensure IAM role allows only specific services or principals to assume it |
Cloudformation |
| 117 |
CKV_AWS_61 |
resource |
aws_iam_role |
Ensure IAM role allows only specific principals in account to assume it |
Terraform |
| 118 |
CKV_AWS_61 |
resource |
AWS::IAM::Role |
Ensure IAM role allows only specific principals in account to assume it |
Cloudformation |
| 119 |
CKV_AWS_62 |
resource |
aws_iam_role_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 120 |
CKV_AWS_62 |
resource |
aws_iam_user_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 121 |
CKV_AWS_62 |
resource |
aws_iam_group_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 122 |
CKV_AWS_62 |
resource |
aws_iam_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
| 123 |
CKV_AWS_63 |
resource |
aws_iam_role_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 124 |
CKV_AWS_63 |
resource |
aws_iam_user_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 125 |
CKV_AWS_63 |
resource |
aws_iam_group_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 126 |
CKV_AWS_63 |
resource |
aws_iam_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
| 127 |
CKV_AWS_64 |
resource |
aws_redshift_cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Terraform |
| 128 |
CKV_AWS_64 |
resource |
AWS::Redshift::Cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Cloudformation |
| 129 |
CKV_AWS_65 |
resource |
aws_ecs_cluster |
Ensure container insights are enabled on ECS cluster |
Terraform |
| 130 |
CKV_AWS_65 |
resource |
AWS::ECS::Cluster |
Ensure container insights are enabled on ECS cluster |
Cloudformation |
| 131 |
CKV_AWS_66 |
resource |
aws_cloudwatch_log_group |
Ensure that CloudWatch Log Group specifies retention days |
Terraform |
| 132 |
CKV_AWS_66 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group specifies retention days |
Cloudformation |
| 133 |
CKV_AWS_67 |
resource |
aws_cloudtrail |
Ensure CloudTrail is enabled in all Regions |
Terraform |
| 134 |
CKV_AWS_67 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail is enabled in all Regions |
Cloudformation |
| 135 |
CKV_AWS_68 |
resource |
aws_cloudfront_distribution |
CloudFront Distribution should have WAF enabled |
Terraform |
| 136 |
CKV_AWS_68 |
resource |
AWS::CloudFront::Distribution |
CloudFront Distribution should have WAF enabled |
Cloudformation |
| 137 |
CKV_AWS_69 |
resource |
aws_mq_broker |
Ensure MQ Broker is not publicly exposed |
Terraform |
| 138 |
CKV_AWS_69 |
resource |
AWS::AmazonMQ::Broker |
Ensure Amazon MQ Broker should not have public access |
Cloudformation |
| 139 |
CKV_AWS_70 |
resource |
aws_s3_bucket |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
| 140 |
CKV_AWS_70 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
| 141 |
CKV_AWS_71 |
resource |
aws_redshift_cluster |
Ensure Redshift Cluster logging is enabled |
Terraform |
| 142 |
CKV_AWS_71 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift Cluster logging is enabled |
Cloudformation |
| 143 |
CKV_AWS_72 |
resource |
aws_sqs_queue_policy |
Ensure SQS policy does not allow ALL (*) actions. |
Terraform |
| 144 |
CKV_AWS_73 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has X-Ray Tracing enabled |
Terraform |
| 145 |
CKV_AWS_73 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
| 146 |
CKV_AWS_74 |
resource |
aws_docdb_cluster |
Ensure DocDB is encrypted at rest (default is unencrypted) |
Terraform |
| 147 |
CKV_AWS_74 |
resource |
AWS::DocDB::DBCluster |
Ensure DocDB is encrypted at rest (default is unencrypted) |
Cloudformation |
| 148 |
CKV_AWS_75 |
resource |
aws_globalaccelerator_accelerator |
Ensure Global Accelerator accelerator has flow logs enabled |
Terraform |
| 149 |
CKV_AWS_76 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
| 150 |
CKV_AWS_76 |
resource |
aws_apigatewayv2_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
| 151 |
CKV_AWS_76 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
| 152 |
CKV_AWS_77 |
resource |
aws_athena_database |
Ensure Athena Database is encrypted at rest (default is unencrypted) |
Terraform |
| 153 |
CKV_AWS_78 |
resource |
aws_codebuild_project |
Ensure that CodeBuild Project encryption is not disabled |
Terraform |
| 154 |
CKV_AWS_78 |
resource |
AWS::CodeBuild::Project |
Ensure that CodeBuild Project encryption is not disabled |
Cloudformation |
| 155 |
CKV_AWS_79 |
resource |
aws_instance |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
| 156 |
CKV_AWS_79 |
resource |
aws_launch_template |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
| 157 |
CKV_AWS_79 |
resource |
AWS::EC2::LaunchTemplate |
Ensure Instance Metadata Service Version 1 is not enabled |
Cloudformation |
| 158 |
CKV_AWS_80 |
resource |
aws_msk_cluster |
Ensure MSK Cluster logging is enabled |
Terraform |
| 159 |
CKV_AWS_81 |
resource |
aws_msk_cluster |
Ensure MSK Cluster encryption in rest and transit is enabled |
Terraform |
| 160 |
CKV_AWS_82 |
resource |
aws_athena_workgroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Terraform |
| 161 |
CKV_AWS_82 |
resource |
AWS::Athena::WorkGroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Cloudformation |
| 162 |
CKV_AWS_83 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain enforces HTTPS |
Terraform |
| 163 |
CKV_AWS_83 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain enforces HTTPS |
Cloudformation |
| 164 |
CKV_AWS_84 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain Logging is enabled |
Terraform |
| 165 |
CKV_AWS_84 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain Logging is enabled |
Cloudformation |
| 166 |
CKV_AWS_85 |
resource |
aws_docdb_cluster |
Ensure DocDB Logging is enabled |
Terraform |
| 167 |
CKV_AWS_85 |
resource |
AWS::DocDB::DBCluster |
Ensure DocDB Logging is enabled |
Cloudformation |
| 168 |
CKV_AWS_86 |
resource |
aws_cloudfront_distribution |
Ensure Cloudfront distribution has Access Logging enabled |
Terraform |
| 169 |
CKV_AWS_86 |
resource |
AWS::CloudFront::Distribution |
Ensure Cloudfront distribution has Access Logging enabled |
Cloudformation |
| 170 |
CKV_AWS_87 |
resource |
aws_redshift_cluster |
Redshift cluster should not be publicly accessible |
Terraform |
| 171 |
CKV_AWS_87 |
resource |
AWS::Redshift::Cluster |
Redshift cluster should not be publicly accessible |
Cloudformation |
| 172 |
CKV_AWS_88 |
resource |
aws_instance |
EC2 instance should not have public IP. |
Terraform |
| 173 |
CKV_AWS_88 |
resource |
aws_launch_template |
EC2 instance should not have public IP. |
Terraform |
| 174 |
CKV_AWS_88 |
resource |
AWS::EC2::LaunchTemplate |
EC2 instance should not have public IP. |
Cloudformation |
| 175 |
CKV_AWS_88 |
resource |
AWS::EC2::Instance |
EC2 instance should not have public IP. |
Cloudformation |
| 176 |
CKV_AWS_89 |
resource |
aws_dms_replication_instance |
DMS replication instance should not be publicly accessible |
Terraform |
| 177 |
CKV_AWS_89 |
resource |
AWS::DMS::ReplicationInstance |
DMS replication instance should not be publicly accessible |
Cloudformation |
| 178 |
CKV_AWS_90 |
resource |
aws_docdb_cluster_parameter_group |
Ensure DocDB TLS is not disabled |
Terraform |
| 179 |
CKV_AWS_90 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocDB TLS is not disabled |
Cloudformation |
| 180 |
CKV_AWS_91 |
resource |
aws_lb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
| 181 |
CKV_AWS_91 |
resource |
aws_alb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
| 182 |
CKV_AWS_91 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Cloudformation |
| 183 |
CKV_AWS_92 |
resource |
aws_elb |
Ensure the ELB has access logging enabled |
Terraform |
| 184 |
CKV_AWS_92 |
resource |
AWS::ElasticLoadBalancing::LoadBalancer |
Ensure the ELB has access logging enabled |
Cloudformation |
| 185 |
CKV_AWS_93 |
resource |
aws_s3_bucket |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
| 186 |
CKV_AWS_93 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
| 187 |
CKV_AWS_94 |
resource |
aws_glue_data_catalog_encryption_settings |
Ensure Glue Data Catalog Encryption is enabled |
Terraform |
| 188 |
CKV_AWS_94 |
resource |
AWS::Glue::DataCatalogEncryptionSettings |
Ensure Glue Data Catalog Encryption is enabled |
Cloudformation |
| 189 |
CKV_AWS_95 |
resource |
AWS::ApiGatewayV2::Stage |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
| 190 |
CKV_AWS_96 |
resource |
aws_rds_cluster |
Ensure all data stored in Aurora is securely encrypted at rest |
Terraform |
| 191 |
CKV_AWS_96 |
resource |
AWS::RDS::DBCluster |
Ensure all data stored in Aurrora is securely encrypted at rest |
Cloudformation |
| 192 |
CKV_AWS_97 |
resource |
aws_ecs_task_definition |
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions |
Terraform |
| 193 |
CKV_AWS_97 |
resource |
AWS::ECS::TaskDefinition |
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions |
Cloudformation |
| 194 |
CKV_AWS_98 |
resource |
aws_sagemaker_endpoint_configuration |
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest |
Terraform |
| 195 |
CKV_AWS_99 |
resource |
aws_glue_security_configuration |
Ensure Glue Security Configuration Encryption is enabled |
Terraform |
| 196 |
CKV_AWS_99 |
resource |
AWS::Glue::SecurityConfiguration |
Ensure Glue Security Configuration Encryption is enabled |
Cloudformation |
| 197 |
CKV_AWS_100 |
resource |
aws_eks_node_group |
Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 |
Terraform |
| 198 |
CKV_AWS_100 |
resource |
AWS::EKS::Nodegroup |
Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 |
Cloudformation |
| 199 |
CKV_AWS_101 |
resource |
aws_neptune_cluster |
Ensure Neptune logging is enabled |
Terraform |
| 200 |
CKV_AWS_101 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune logging is enabled |
Cloudformation |
| 201 |
CKV_AWS_102 |
resource |
aws_neptune_cluster_instance |
Ensure Neptune Cluster instance is not publicly available |
Terraform |
| 202 |
CKV_AWS_103 |
resource |
aws_lb_listener |
Ensure that load balancer is using TLS 1.2 |
Terraform |
| 203 |
CKV_AWS_104 |
resource |
aws_docdb_cluster_parameter_group |
Ensure DocDB has audit logs enabled |
Terraform |
| 204 |
CKV_AWS_104 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocDB has audit logs enabled |
Cloudformation |
| 205 |
CKV_AWS_105 |
resource |
aws_redshift_parameter_group |
Ensure Redshift uses SSL |
Terraform |
| 206 |
CKV_AWS_105 |
resource |
AWS::Redshift::ClusterParameterGroup |
Ensure Redshift uses SSL |
Cloudformation |
| 207 |
CKV_AWS_106 |
resource |
aws_ebs_encryption_by_default |
Ensure EBS default encryption is enabled |
Terraform |
| 208 |
CKV_AWS_107 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow credentials exposure |
Terraform |
| 209 |
CKV_AWS_107 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
| 210 |
CKV_AWS_107 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
| 211 |
CKV_AWS_107 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
| 212 |
CKV_AWS_107 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
| 213 |
CKV_AWS_107 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
| 214 |
CKV_AWS_108 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow data exfiltration |
Terraform |
| 215 |
CKV_AWS_108 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
| 216 |
CKV_AWS_108 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
| 217 |
CKV_AWS_108 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
| 218 |
CKV_AWS_108 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
| 219 |
CKV_AWS_108 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
| 220 |
CKV_AWS_109 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
| 221 |
CKV_AWS_109 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
| 222 |
CKV_AWS_109 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
| 223 |
CKV_AWS_109 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
| 224 |
CKV_AWS_109 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
| 225 |
CKV_AWS_109 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
| 226 |
CKV_AWS_110 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow privilege escalation |
Terraform |
| 227 |
CKV_AWS_110 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
| 228 |
CKV_AWS_110 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
| 229 |
CKV_AWS_110 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
| 230 |
CKV_AWS_110 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
| 231 |
CKV_AWS_110 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
| 232 |
CKV_AWS_111 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow write access without constraints |
Terraform |
| 233 |
CKV_AWS_111 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
| 234 |
CKV_AWS_111 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
| 235 |
CKV_AWS_111 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
| 236 |
CKV_AWS_111 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
| 237 |
CKV_AWS_111 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
| 238 |
CKV_AWS_112 |
resource |
aws_ssm_document |
Ensure Session Manager data is encrypted in transit |
Terraform |
| 239 |
CKV_AWS_113 |
resource |
aws_ssm_document |
Ensure Session Manager logs are enabled and encrypted |
Terraform |
| 240 |
CKV_AWS_114 |
resource |
aws_emr_cluster |
Ensure that EMR clusters have Kerberos Enabled |
Terraform |
| 241 |
CKV_AWS_115 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Terraform |
| 242 |
CKV_AWS_116 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Terraform |
| 243 |
CKV_AWS_117 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured inside a VPC |
Terraform |
| 244 |
CKV_AWS_118 |
resource |
aws_db_instance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Terraform |
| 245 |
CKV_AWS_118 |
resource |
aws_rds_cluster_instance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Terraform |
| 246 |
CKV_AWS_119 |
resource |
aws_dynamodb_table |
Ensure DynamoDB Tables are encrypted using KMS |
Terraform |
| 247 |
CKV_AWS_120 |
resource |
aws_api_gateway_stage |
Ensure API Gateway caching is enabled |
Terraform |
| 248 |
CKV_AWS_120 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway caching is enabled |
Cloudformation |
| 249 |
CKV_AWS_121 |
resource |
aws_config_configuration_aggregator |
Ensure AWS Config is enabled in all regions |
Terraform |
| 250 |
CKV_AWS_122 |
resource |
aws_sagemaker_notebook_instance |
Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance |
Terraform |
| 251 |
CKV_AWS_123 |
resource |
aws_vpc_endpoint_service |
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Terraform |
| 252 |
CKV_AWS_123 |
resource |
AWS::EC2::VPCEndpointService |
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Cloudformation |
| 253 |
CKV_AWS_124 |
resource |
aws_cloudformation_stack |
Ensure that CloudFormation stacks are sending event notifications to an SNS topic |
Terraform |
| 254 |
CKV_AWS_126 |
resource |
aws_instance |
Ensure that detailed monitoring is enabled for EC2 instances |
Terraform |
| 255 |
CKV_AWS_127 |
resource |
aws_elb |
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager |
Terraform |
| 256 |
CKV_AWS_128 |
resource |
aws_rds_cluster |
Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled |
Terraform |
| 257 |
CKV_AWS_129 |
resource |
aws_db_instance |
Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled |
Terraform |
| 258 |
CKV_AWS_130 |
resource |
aws_subnet |
Ensure VPC subnets do not assign public IP by default |
Terraform |
| 259 |
CKV_AWS_131 |
resource |
aws_lb |
Ensure that ALB drops HTTP headers |
Terraform |
| 260 |
CKV_AWS_131 |
resource |
aws_alb |
Ensure that ALB drops HTTP headers |
Terraform |
| 261 |
CKV_AWS_131 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure that ALB drops HTTP headers |
Cloudformation |
| 262 |
CKV_AWS_133 |
resource |
aws_rds_cluster |
Ensure that RDS instances has backup policy |
Terraform |
| 263 |
CKV_AWS_134 |
resource |
aws_elasticache_cluster |
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on |
Terraform |
| 264 |
CKV_AWS_135 |
resource |
aws_instance |
Ensure that EC2 is EBS optimized |
Terraform |
| 265 |
CKV_AWS_136 |
resource |
aws_ecr_repository |
Ensure that ECR repositories are encrypted using KMS |
Terraform |
| 266 |
CKV_AWS_136 |
resource |
AWS::ECR::Repository |
Ensure that ECR repositories are encrypted using KMS |
Cloudformation |
| 267 |
CKV_AWS_137 |
resource |
aws_elasticsearch_domain |
Ensure that Elasticsearch is configured inside a VPC |
Terraform |
| 268 |
CKV_AWS_138 |
resource |
aws_elb |
Ensure that ELB is cross-zone-load-balancing enabled |
Terraform |
| 269 |
CKV_AWS_139 |
resource |
aws_rds_cluster |
Ensure that RDS clusters have deletion protection enabled |
Terraform |
| 270 |
CKV_AWS_140 |
resource |
aws_rds_global_cluster |
Ensure that RDS global clusters are encrypted |
Terraform |
| 271 |
CKV_AWS_141 |
resource |
aws_redshift_cluster |
Ensured that redshift cluster allowing version upgrade by default |
Terraform |
| 272 |
CKV_AWS_142 |
resource |
aws_redshift_cluster |
Ensure that Redshift cluster is encrypted by KMS |
Terraform |
| 273 |
CKV_AWS_143 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has lock configuration enabled by default |
Terraform |
| 274 |
CKV_AWS_144 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has cross-region replication enabled |
Terraform |
| 275 |
CKV_AWS_145 |
resource |
aws_s3_bucket |
Ensure that S3 buckets are encrypted with KMS by default |
Terraform |
| 276 |
CKV_AWS_146 |
resource |
aws_db_cluster_snapshot |
Ensure that RDS database cluster snapshot is encrypted |
Terraform |
| 277 |
CKV_AWS_147 |
resource |
aws_codebuild_project |
Ensure that CodeBuild projects are encrypted |
Terraform |
| 278 |
CKV_AWS_148 |
resource |
aws_default_vpc |
Ensure no default VPC is planned to be provisioned |
Terraform |
| 279 |
CKV_AWS_149 |
resource |
aws_secretsmanager_secret |
Ensure that Secrets Manager secret is encrypted using KMS |
Terraform |
| 280 |
CKV_AWS_150 |
resource |
aws_lb |
Ensure that Load Balancer has deletion protection enabled |
Terraform |
| 281 |
CKV_AWS_150 |
resource |
aws_alb |
Ensure that Load Balancer has deletion protection enabled |
Terraform |
| 282 |
CKV_AWS_151 |
resource |
aws_eks_cluster |
Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS |
Terraform |
| 283 |
CKV_AWS_152 |
resource |
aws_lb |
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled |
Terraform |
| 284 |
CKV_AWS_152 |
resource |
aws_alb |
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled |
Terraform |
| 285 |
CKV_AWS_153 |
resource |
aws_autoscaling_group |
Autoscaling groups should supply tags to launch configurations |
Terraform |
| 286 |
CKV_AWS_154 |
resource |
aws_redshift_cluster |
Ensure Redshift is not deployed outside of a VPC |
Terraform |
| 287 |
CKV_AWS_154 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift is not deployed outside of a VPC |
Cloudformation |
| 288 |
CKV_AWS_155 |
resource |
aws_workspaces_workspace |
Ensure that Workspace user volumes are encrypted |
Terraform |
| 289 |
CKV_AWS_155 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace user volumes are encrypted |
Cloudformation |
| 290 |
CKV_AWS_156 |
resource |
aws_workspaces_workspace |
Ensure that Workspace root volumes are encrypted |
Terraform |
| 291 |
CKV_AWS_156 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace root volumes are encrypted |
Cloudformation |
| 292 |
CKV_AWS_157 |
resource |
aws_db_instance |
Ensure that RDS instances have Multi-AZ enabled |
Terraform |
| 293 |
CKV_AWS_157 |
resource |
AWS::RDS::DBInstance |
Ensure that RDS instances have Multi-AZ enabled |
Cloudformation |
| 294 |
CKV_AWS_158 |
resource |
aws_cloudwatch_log_group |
Ensure that CloudWatch Log Group is encrypted by KMS |
Terraform |
| 295 |
CKV_AWS_158 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group is encrypted by KMS |
Cloudformation |
| 296 |
CKV_AWS_159 |
resource |
aws_athena_workgroup |
Ensure that Athena Workgroup is encrypted |
Terraform |
| 297 |
CKV_AWS_160 |
resource |
aws_timestreamwrite_database |
Ensure that Timestream database is encrypted with KMS CMK |
Terraform |
| 298 |
CKV_AWS_160 |
resource |
AWS::Timestream::Database |
Ensure that Timestream database is encrypted with KMS CMK |
Cloudformation |
| 299 |
CKV_AWS_161 |
resource |
aws_db_instance |
Ensure RDS database has IAM authentication enabled |
Terraform |
| 300 |
CKV_AWS_161 |
resource |
AWS::RDS::DBInstance |
Ensure RDS database has IAM authentication enabled |
Cloudformation |
| 301 |
CKV_AWS_162 |
resource |
aws_rds_cluster |
Ensure RDS cluster has IAM authentication enabled |
Terraform |
| 302 |
CKV_AWS_162 |
resource |
AWS::RDS::DBCluster |
Ensure RDS cluster has IAM authentication enabled |
Cloudformation |
| 303 |
CKV_AWS_163 |
resource |
aws_ecr_repository |
Ensure ECR image scanning on push is enabled |
Terraform |
| 304 |
CKV_AWS_163 |
resource |
AWS::ECR::Repository |
Ensure ECR image scanning on push is enabled |
Cloudformation |
| 305 |
CKV_AWS_164 |
resource |
aws_transfer_server |
Ensure Transfer Server is not exposed publicly. |
Terraform |
| 306 |
CKV_AWS_165 |
resource |
aws_dynamodb_global_table |
Ensure Dynamodb point in time recovery (backup) is enabled for global tables |
Terraform |
| 307 |
CKV_AWS_165 |
resource |
AWS::DynamoDB::GlobalTable |
Ensure Dynamodb global table point in time recovery (backup) is enabled |
Cloudformation |
| 308 |
CKV_AWS_166 |
resource |
aws_backup_vault |
Ensure Backup Vault is encrypted at rest using KMS CMK |
Terraform |
| 309 |
CKV_AWS_166 |
resource |
AWS::Backup::BackupVault |
Ensure Backup Vault is encrypted at rest using KMS CMK |
Cloudformation |
| 310 |
CKV_AWS_167 |
resource |
aws_glacier_vault |
Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it |
Terraform |
| 311 |
CKV_AWS_168 |
resource |
aws_sqs_queue_policy |
Ensure SQS queue policy is not public by only allowing specific services or principals to access it |
Terraform |
| 312 |
CKV_AWS_169 |
resource |
aws_sns_topic_policy |
Ensure SNS topic policy is not public by only allowing specific services or principals to access it |
Terraform |
| 313 |
CKV2_AWS_1 |
resource |
aws_network_acl |
Ensure that all NACL are attached to subnets |
Terraform |
| 314 |
CKV2_AWS_1 |
resource |
aws_subnet |
Ensure that all NACL are attached to subnets |
Terraform |
| 315 |
CKV2_AWS_2 |
resource |
aws_ebs_volume |
Ensure that only encrypted EBS volumes are attached to EC2 instances |
Terraform |
| 316 |
CKV2_AWS_2 |
resource |
aws_volume_attachment |
Ensure that only encrypted EBS volumes are attached to EC2 instances |
Terraform |
| 317 |
CKV2_AWS_3 |
resource |
aws_guardduty_detector |
Ensure GuardDuty is enabled to specific org/region |
Terraform |
| 318 |
CKV2_AWS_3 |
resource |
aws_guardduty_organization_configuration |
Ensure GuardDuty is enabled to specific org/region |
Terraform |
| 319 |
CKV2_AWS_4 |
resource |
aws_api_gateway_method_settings |
Ensure API Gateway stage have logging level defined as appropriate |
Terraform |
| 320 |
CKV2_AWS_4 |
resource |
aws_api_gateway_stage |
Ensure API Gateway stage have logging level defined as appropriate |
Terraform |
| 321 |
CKV2_AWS_5 |
resource |
aws_security_group |
Ensure that Security Groups are attached to an other resource |
Terraform |
| 322 |
CKV2_AWS_6 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has a Public Access block |
Terraform |
| 323 |
CKV2_AWS_6 |
resource |
aws_s3_bucket_public_access_block |
Ensure that S3 bucket has a Public Access block |
Terraform |
| 324 |
CKV2_AWS_7 |
resource |
aws_security_group |
Ensure that Amazon EMR clusters’ security groups are not open to the world |
Terraform |
| 325 |
CKV2_AWS_7 |
resource |
aws_emr_cluster |
Ensure that Amazon EMR clusters’ security groups are not open to the world |
Terraform |
| 326 |
CKV2_AWS_8 |
resource |
aws_rds_cluster |
Ensure that RDS clusters has backup plan of AWS Backup |
Terraform |
| 327 |
CKV2_AWS_9 |
resource |
aws_backup_selection |
Ensure that EBS are added in the backup plans of AWS Backup |
Terraform |
| 328 |
CKV2_AWS_10 |
resource |
aws_cloudtrail |
Ensure CloudTrail trails are integrated with CloudWatch Logs |
Terraform |
| 329 |
CKV2_AWS_11 |
resource |
aws_vpc |
Ensure VPC flow logging is enabled in all VPCs |
Terraform |
| 330 |
CKV2_AWS_12 |
resource |
aws_default_security_group |
Ensure the default security group of every VPC restricts all traffic |
Terraform |
| 331 |
CKV2_AWS_12 |
resource |
aws_vpc |
Ensure the default security group of every VPC restricts all traffic |
Terraform |
| 332 |
CKV2_AWS_13 |
resource |
aws_redshift_cluster |
Ensure that Redshift clusters has backup plan of AWS Backup |
Terraform |
| 333 |
CKV2_AWS_14 |
resource |
aws_iam_group |
Ensure that IAM groups includes at least one IAM user |
Terraform |
| 334 |
CKV2_AWS_14 |
resource |
aws_iam_group_membership |
Ensure that IAM groups includes at least one IAM user |
Terraform |
| 335 |
CKV2_AWS_15 |
resource |
aws_elb |
Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. |
Terraform |
| 336 |
CKV2_AWS_15 |
resource |
aws_autoscaling_group |
Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. |
Terraform |
| 337 |
CKV2_AWS_16 |
resource |
aws_dynamodb_table |
Ensure that Auto Scaling is enabled on your DynamoDB tables |
Terraform |
| 338 |
CKV2_AWS_16 |
resource |
aws_appautoscaling_target |
Ensure that Auto Scaling is enabled on your DynamoDB tables |
Terraform |
| 339 |
CKV2_AWS_18 |
resource |
aws_backup_selection |
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup |
Terraform |
| 340 |
CKV2_AWS_19 |
resource |
aws_eip_association |
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances |
Terraform |
| 341 |
CKV2_AWS_19 |
resource |
aws_eip |
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances |
Terraform |
| 342 |
CKV2_AWS_20 |
resource |
aws_lb |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
| 343 |
CKV2_AWS_20 |
resource |
aws_lb_listener |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
| 344 |
CKV2_AWS_21 |
resource |
aws_iam_group_membership |
Ensure that all IAM users are members of at least one IAM group. |
Terraform |
| 345 |
CKV2_AWS_22 |
resource |
aws_iam_user |
Ensure an IAM User does not have access to the console |
Terraform |
| 346 |
CKV2_AWS_23 |
resource |
aws_route53_record |
Route53 A Record has Attached Resource |
Terraform |
| 347 |
CKV2_AWS_27 |
resource |
aws_db_instance |
Postgres RDS has Query Logging enabled |
Terraform |
| 348 |
CKV2_AWS_27 |
resource |
aws_rds_cluster_parameter_group |
Postgres RDS has Query Logging enabled |
Terraform |
| 349 |
CKV_AZURE_1 |
resource |
azurerm_linux_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
| 350 |
CKV_AZURE_1 |
resource |
azurerm_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
| 351 |
CKV_AZURE_1 |
resource |
Microsoft.Compute/virtualMachines |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
arm |
| 352 |
CKV_AZURE_2 |
resource |
azurerm_managed_disk |
Ensure Azure managed disk has encryption enabled |
Terraform |
| 353 |
CKV_AZURE_2 |
resource |
Microsoft.Compute/disks |
Ensure Azure managed disk have encryption enabled |
arm |
| 354 |
CKV_AZURE_3 |
resource |
azurerm_storage_account |
Ensure that ‘Secure transfer required’ is set to ‘Enabled’ |
Terraform |
| 355 |
CKV_AZURE_3 |
resource |
Microsoft.Storage/storageAccounts |
Ensure that ‘supportsHttpsTrafficOnly’ is set to ‘true’ |
arm |
| 356 |
CKV_AZURE_4 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS logging to Azure Monitoring is Configured |
Terraform |
| 357 |
CKV_AZURE_4 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS logging to Azure Monitoring is Configured |
arm |
| 358 |
CKV_AZURE_5 |
resource |
azurerm_kubernetes_cluster |
Ensure RBAC is enabled on AKS clusters |
Terraform |
| 359 |
CKV_AZURE_5 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure RBAC is enabled on AKS clusters |
arm |
| 360 |
CKV_AZURE_6 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS has an API Server Authorized IP Ranges enabled |
Terraform |
| 361 |
CKV_AZURE_6 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS has an API Server Authorized IP Ranges enabled |
arm |
| 362 |
CKV_AZURE_7 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster has Network Policy configured |
Terraform |
| 363 |
CKV_AZURE_7 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure AKS cluster has Network Policy configured |
arm |
| 364 |
CKV_AZURE_8 |
resource |
azurerm_kubernetes_cluster |
Ensure Kube Dashboard is disabled |
Terraform |
| 365 |
CKV_AZURE_8 |
resource |
Microsoft.ContainerService/managedClusters |
Ensure Kubernetes Dashboard is disabled |
arm |
| 366 |
CKV_AZURE_9 |
resource |
azurerm_network_security_rule |
Ensure that RDP access is restricted from the internet |
Terraform |
| 367 |
CKV_AZURE_9 |
resource |
azurerm_network_security_group |
Ensure that RDP access is restricted from the internet |
Terraform |
| 368 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that RDP access is restricted from the internet |
arm |
| 369 |
CKV_AZURE_9 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that RDP access is restricted from the internet |
arm |
| 370 |
CKV_AZURE_10 |
resource |
azurerm_network_security_rule |
Ensure that SSH access is restricted from the internet |
Terraform |
| 371 |
CKV_AZURE_10 |
resource |
azurerm_network_security_group |
Ensure that SSH access is restricted from the internet |
Terraform |
| 372 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups |
Ensure that SSH access is restricted from the internet |
arm |
| 373 |
CKV_AZURE_10 |
resource |
Microsoft.Network/networkSecurityGroups/securityRules |
Ensure that SSH access is restricted from the internet |
arm |
| 374 |
CKV_AZURE_11 |
resource |
azurerm_mariadb_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
| 375 |
CKV_AZURE_11 |
resource |
azurerm_sql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
| 376 |
CKV_AZURE_11 |
resource |
azurerm_postgresql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
| 377 |
CKV_AZURE_11 |
resource |
azurerm_mysql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
| 378 |
CKV_AZURE_11 |
resource |
Microsoft.Sql/servers |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
arm |
| 379 |
CKV_AZURE_12 |
resource |
azurerm_network_watcher_flow_log |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Terraform |
| 380 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
| 381 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
| 382 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/flowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
| 383 |
CKV_AZURE_12 |
resource |
Microsoft.Network/networkWatchers/FlowLogs/ |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
arm |
| 384 |
CKV_AZURE_13 |
resource |
azurerm_app_service |
Ensure App Service Authentication is set on Azure App Service |
Terraform |
| 385 |
CKV_AZURE_13 |
resource |
Microsoft.Web/sites/config |
Ensure App Service Authentication is set on Azure App Service |
arm |
| 386 |
CKV_AZURE_13 |
resource |
config |
Ensure App Service Authentication is set on Azure App Service |
arm |
| 387 |
CKV_AZURE_14 |
resource |
azurerm_app_service |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Terraform |
| 388 |
CKV_AZURE_14 |
resource |
Microsoft.Web/sites |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
arm |
| 389 |
CKV_AZURE_15 |
resource |
azurerm_app_service |
Ensure web app is using the latest version of TLS encryption |
Terraform |
| 390 |
CKV_AZURE_15 |
resource |
Microsoft.Web/sites |
Ensure web app is using the latest version of TLS encryption |
arm |
| 391 |
CKV_AZURE_16 |
resource |
azurerm_app_service |
Ensure that Register with Azure Active Directory is enabled on App Service |
Terraform |
| 392 |
CKV_AZURE_16 |
resource |
Microsoft.Web/sites |
Ensure that Register with Azure Active Directory is enabled on App Service |
arm |
| 393 |
CKV_AZURE_17 |
resource |
azurerm_app_service |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
Terraform |
| 394 |
CKV_AZURE_17 |
resource |
Microsoft.Web/sites |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
arm |
| 395 |
CKV_AZURE_18 |
resource |
azurerm_app_service |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
Terraform |
| 396 |
CKV_AZURE_18 |
resource |
Microsoft.Web/sites |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
arm |
| 397 |
CKV_AZURE_19 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that standard pricing tier is selected |
Terraform |
| 398 |
CKV_AZURE_19 |
resource |
Microsoft.Security/pricings |
Ensure that standard pricing tier is selected |
arm |
| 399 |
CKV_AZURE_20 |
resource |
azurerm_security_center_contact |
Ensure that security contact ‘Phone number’ is set |
Terraform |
| 400 |
CKV_AZURE_20 |
resource |
Microsoft.Security/securityContacts |
Ensure that security contact ‘Phone number’ is set |
arm |
| 401 |
CKV_AZURE_21 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
| 402 |
CKV_AZURE_21 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
| 403 |
CKV_AZURE_22 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
| 404 |
CKV_AZURE_22 |
resource |
Microsoft.Security/securityContacts |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
arm |
| 405 |
CKV_AZURE_23 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
| 406 |
CKV_AZURE_23 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
| 407 |
CKV_AZURE_23 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers |
arm |
| 408 |
CKV_AZURE_24 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
| 409 |
CKV_AZURE_24 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
| 410 |
CKV_AZURE_24 |
resource |
Microsoft.Sql/servers |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
arm |
| 411 |
CKV_AZURE_25 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
Terraform |
| 412 |
CKV_AZURE_25 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
arm |
| 413 |
CKV_AZURE_26 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
Terraform |
| 414 |
CKV_AZURE_26 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
arm |
| 415 |
CKV_AZURE_27 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
Terraform |
| 416 |
CKV_AZURE_27 |
resource |
Microsoft.Sql/servers/databases |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
arm |
| 417 |
CKV_AZURE_28 |
resource |
azurerm_mysql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
Terraform |
| 418 |
CKV_AZURE_28 |
resource |
Microsoft.DBforMySQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
arm |
| 419 |
CKV_AZURE_29 |
resource |
azurerm_postgresql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
Terraform |
| 420 |
CKV_AZURE_29 |
resource |
Microsoft.DBforPostgreSQL/servers |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
arm |
| 421 |
CKV_AZURE_30 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
| 422 |
CKV_AZURE_30 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
| 423 |
CKV_AZURE_30 |
resource |
configurations |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
| 424 |
CKV_AZURE_31 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
| 425 |
CKV_AZURE_31 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
| 426 |
CKV_AZURE_31 |
resource |
configurations |
Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
| 427 |
CKV_AZURE_32 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
| 428 |
CKV_AZURE_32 |
resource |
Microsoft.DBforPostgreSQL/servers/configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
| 429 |
CKV_AZURE_32 |
resource |
configurations |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
arm |
| 430 |
CKV_AZURE_33 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
Terraform |
| 431 |
CKV_AZURE_33 |
resource |
Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
arm |
| 432 |
CKV_AZURE_34 |
resource |
azurerm_storage_container |
Ensure that ‘Public access level’ is set to Private for blob containers |
Terraform |
| 433 |
CKV_AZURE_34 |
resource |
Microsoft.Storage/storageAccounts/blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
| 434 |
CKV_AZURE_34 |
resource |
containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
| 435 |
CKV_AZURE_34 |
resource |
blobServices/containers |
Ensure that ‘Public access level’ is set to Private for blob containers |
arm |
| 436 |
CKV_AZURE_35 |
resource |
azurerm_storage_account |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
| 437 |
CKV_AZURE_35 |
resource |
azurerm_storage_account_network_rules |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
| 438 |
CKV_AZURE_35 |
resource |
Microsoft.Storage/storageAccounts |
Ensure default network access rule for Storage Accounts is set to deny |
arm |
| 439 |
CKV_AZURE_36 |
resource |
azurerm_storage_account |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
| 440 |
CKV_AZURE_36 |
resource |
azurerm_storage_account_network_rules |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
| 441 |
CKV_AZURE_36 |
resource |
Microsoft.Storage/storageAccounts |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
arm |
| 442 |
CKV_AZURE_37 |
resource |
azurerm_monitor_log_profile |
Ensure that Activity Log Retention is set 365 days or greater |
Terraform |
| 443 |
CKV_AZURE_37 |
resource |
microsoft.insights/logprofiles |
Ensure that Activity Log Retention is set 365 days or greater |
arm |
| 444 |
CKV_AZURE_38 |
resource |
azurerm_monitor_log_profile |
Ensure audit profile captures all the activities |
Terraform |
| 445 |
CKV_AZURE_38 |
resource |
microsoft.insights/logprofiles |
Ensure audit profile captures all the activities |
arm |
| 446 |
CKV_AZURE_39 |
resource |
azurerm_role_definition |
Ensure that no custom subscription owner roles are created |
Terraform |
| 447 |
CKV_AZURE_39 |
resource |
Microsoft.Authorization/roleDefinitions |
Ensure that no custom subscription owner roles are created |
arm |
| 448 |
CKV_AZURE_40 |
resource |
azurerm_key_vault_key |
Ensure that the expiration date is set on all keys |
Terraform |
| 449 |
CKV_AZURE_41 |
resource |
azurerm_key_vault_secret |
Ensure that the expiration date is set on all secrets |
Terraform |
| 450 |
CKV_AZURE_41 |
resource |
Microsoft.KeyVault/vaults/secrets |
Ensure that the expiration date is set on all secrets |
arm |
| 451 |
CKV_AZURE_42 |
resource |
azurerm_key_vault |
Ensure the key vault is recoverable |
Terraform |
| 452 |
CKV_AZURE_42 |
resource |
Microsoft.KeyVault/vaults |
Ensure the key vault is recoverable |
arm |
| 453 |
CKV_AZURE_43 |
resource |
azurerm_storage_account |
Ensure the Storage Account naming rules |
Terraform |
| 454 |
CKV_AZURE_44 |
resource |
azurerm_storage_account |
Ensure Storage Account is using the latest version of TLS encryption |
Terraform |
| 455 |
CKV_AZURE_45 |
resource |
azurerm_virtual_machine |
Ensure that no sensitive credentials are exposed in VM custom_data |
Terraform |
| 456 |
CKV_AZURE_46 |
resource |
azurerm_mssql_database_extended_auditing_policy |
Specifies a retention period of less than 90 days. |
Terraform |
| 457 |
CKV_AZURE_47 |
resource |
azurerm_mariadb_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MariaDB servers |
Terraform |
| 458 |
CKV_AZURE_48 |
resource |
azurerm_mariadb_server |
Ensure ‘public network access enabled’ is set to ‘False’ for MariaDB servers |
Terraform |
| 459 |
CKV_AZURE_49 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) |
Terraform |
| 460 |
CKV_AZURE_50 |
resource |
azurerm_linux_virtual_machine |
Ensure Virtual Machine Extensions are not Installed |
Terraform |
| 461 |
CKV_AZURE_50 |
resource |
azurerm_virtual_machine |
Ensure Virtual Machine Extensions are not Installed |
Terraform |
| 462 |
CKV_AZURE_52 |
resource |
azurerm_mssql_server |
Ensure MSSQL is using the latest version of TLS encryption |
Terraform |
| 463 |
CKV_AZURE_53 |
resource |
azurerm_mysql_server |
Ensure ‘public network access enabled’ is set to ‘False’ for mySQL servers |
Terraform |
| 464 |
CKV_AZURE_54 |
resource |
azurerm_mysql_server |
Ensure MySQL is using the latest version of TLS encryption |
Terraform |
| 465 |
CKV_AZURE_55 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Servers |
Terraform |
| 466 |
CKV_AZURE_56 |
resource |
azurerm_function_app |
Ensure that function apps enables Authentication |
Terraform |
| 467 |
CKV_AZURE_57 |
resource |
azurerm_app_service |
Ensure that CORS disallows every resource to access app services |
Terraform |
| 468 |
CKV_AZURE_58 |
resource |
azurerm_synapse_workspace |
Ensure that Azure Synapse workspaces enables managed virtual networks |
Terraform |
| 469 |
CKV_AZURE_59 |
resource |
azurerm_storage_account |
Ensure that Storage accounts disallow public access |
Terraform |
| 470 |
CKV_AZURE_60 |
resource |
azurerm_storage_account |
Ensure that storage account enables secure transfer |
Terraform |
| 471 |
CKV_AZURE_61 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for App Service |
Terraform |
| 472 |
CKV_AZURE_62 |
resource |
azurerm_function_app |
Ensure function apps are not accessible from all regions |
Terraform |
| 473 |
CKV_AZURE_63 |
resource |
azurerm_app_service |
Ensure that App service enables HTTP logging |
Terraform |
| 474 |
CKV_AZURE_64 |
resource |
azurerm_storage_sync |
Ensure that Azure File Sync disables public network access |
Terraform |
| 475 |
CKV_AZURE_65 |
resource |
azurerm_app_service |
Ensure that App service enables detailed error messages |
Terraform |
| 476 |
CKV_AZURE_66 |
resource |
azurerm_app_service |
Ensure that App service enables failed request tracing |
Terraform |
| 477 |
CKV_AZURE_67 |
resource |
azurerm_function_app |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
Terraform |
| 478 |
CKV_AZURE_68 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server disables public network access |
Terraform |
| 479 |
CKV_AZURE_69 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Azure SQL database servers |
Terraform |
| 480 |
CKV_AZURE_70 |
resource |
azurerm_function_app |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
| 481 |
CKV_AZURE_71 |
resource |
azurerm_app_service |
Ensure that Managed identity provider is enabled for app services |
Terraform |
| 482 |
CKV_AZURE_72 |
resource |
azurerm_app_service |
Ensure that remote debugging is not enabled for app services |
Terraform |
| 483 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_bool |
Ensure that Automation account variables are encrypted |
Terraform |
| 484 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_string |
Ensure that Automation account variables are encrypted |
Terraform |
| 485 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_int |
Ensure that Automation account variables are encrypted |
Terraform |
| 486 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_datetime |
Ensure that Automation account variables are encrypted |
Terraform |
| 487 |
CKV_AZURE_74 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer uses disk encryption |
Terraform |
| 488 |
CKV_AZURE_75 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer uses double encryption |
Terraform |
| 489 |
CKV_AZURE_76 |
resource |
azurerm_batch_account |
Ensure that Azure Batch account uses key vault to encrypt data |
Terraform |
| 490 |
CKV_AZURE_77 |
resource |
azurerm_network_security_rule |
Ensure that UDP Services are restricted from the Internet |
Terraform |
| 491 |
CKV_AZURE_77 |
resource |
azurerm_network_security_group |
Ensure that UDP Services are restricted from the Internet |
Terraform |
| 492 |
CKV_AZURE_78 |
resource |
azurerm_app_service |
Ensure FTP deployments are disabled |
Terraform |
| 493 |
CKV_AZURE_79 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for SQL servers on machines |
Terraform |
| 494 |
CKV_AZURE_80 |
resource |
azurerm_app_service |
Ensure that ‘Net Framework’ version is the latest, if used as a part of the web app |
Terraform |
| 495 |
CKV_AZURE_81 |
resource |
azurerm_app_service |
Ensure that ‘PHP version’ is the latest, if used to run the web app |
Terraform |
| 496 |
CKV_AZURE_82 |
resource |
azurerm_app_service |
Ensure that ‘Python version’ is the latest, if used to run the web app |
Terraform |
| 497 |
CKV_AZURE_83 |
resource |
azurerm_app_service |
Ensure that ‘Java version’ is the latest, if used to run the web app |
Terraform |
| 498 |
CKV_AZURE_84 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Storage |
Terraform |
| 499 |
CKV_AZURE_85 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Kubernetes |
Terraform |
| 500 |
CKV_AZURE_86 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Container Registries |
Terraform |
| 501 |
CKV_AZURE_87 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Key Vault |
Terraform |
| 502 |
CKV_AZURE_88 |
resource |
azurerm_app_service |
Ensure that app services use Azure Files |
Terraform |
| 503 |
CKV_AZURE_89 |
resource |
azurerm_redis_cache |
Ensure that Azure Cache for Redis disables public network access |
Terraform |
| 504 |
CKV_AZURE_90 |
resource |
azurerm_mysql_server |
Ensure that MySQL server disables public network access |
Terraform |
| 505 |
CKV_AZURE_91 |
resource |
azurerm_redis_cache |
Ensure that only SSL are enabled for Cache for Redis |
Terraform |
| 506 |
CKV_AZURE_92 |
resource |
azurerm_linux_virtual_machine |
Ensure that Virtual Machines use managed disks |
Terraform |
| 507 |
CKV_AZURE_92 |
resource |
azurerm_windows_virtual_machine |
Ensure that Virtual Machines use managed disks |
Terraform |
| 508 |
CKV_AZURE_93 |
resource |
azurerm_managed_disk |
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
Terraform |
| 509 |
CKV_AZURE_94 |
resource |
azurerm_mysql_server |
Ensure that My SQL server enables geo-redundant backups |
Terraform |
| 510 |
CKV_AZURE_95 |
resource |
azurerm_virtual_machine_scale_set |
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets |
Terraform |
| 511 |
CKV_AZURE_96 |
resource |
azurerm_mysql_server |
Ensure that MySQL server enables infrastructure encryption |
Terraform |
| 512 |
CKV_AZURE_97 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure that Virtual machine scale sets have encryption at host enabled |
Terraform |
| 513 |
CKV_AZURE_97 |
resource |
azurerm_windows_virtual_machine_scale_set |
Ensure that Virtual machine scale sets have encryption at host enabled |
Terraform |
| 514 |
CKV_AZURE_98 |
resource |
azurerm_container_group |
Ensure that Azure Container group is deployed into virtual network |
Terraform |
| 515 |
CKV_AZURE_99 |
resource |
azurerm_cosmosdb_account |
Ensure Cosmos DB accounts have restricted access |
Terraform |
| 516 |
CKV_AZURE_100 |
resource |
azurerm_cosmosdb_account |
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
Terraform |
| 517 |
CKV_AZURE_101 |
resource |
azurerm_cosmosdb_account |
Ensure that Azure Cosmos DB disables public network access |
Terraform |
| 518 |
CKV_AZURE_102 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables geo-redundant backups |
Terraform |
| 519 |
CKV_AZURE_103 |
resource |
azurerm_data_factory |
Ensure that Azure Data Factory uses Git repository for source control |
Terraform |
| 520 |
CKV_AZURE_104 |
resource |
azurerm_data_factory |
Ensure that Azure Data factory public network access is disabled |
Terraform |
| 521 |
CKV_AZURE_105 |
resource |
azurerm_data_lake_store |
Ensure that Data Lake Store accounts enables encryption |
Terraform |
| 522 |
CKV_AZURE_106 |
resource |
azurerm_eventgrid_domain |
Ensure that Azure Event Grid Domain public network access is disabled |
Terraform |
| 523 |
CKV_AZURE_107 |
resource |
azurerm_api_management |
Ensure that API management services use virtual networks |
Terraform |
| 524 |
CKV_AZURE_108 |
resource |
azurerm_iothub |
Ensure that Azure IoT Hub disables public network access |
Terraform |
| 525 |
CKV_AZURE_109 |
resource |
azurerm_key_vault |
Ensure that key vault allows firewall rules settings |
Terraform |
| 526 |
CKV_AZURE_110 |
resource |
azurerm_key_vault |
Ensure that key vault enables purge protection |
Terraform |
| 527 |
CKV_AZURE_111 |
resource |
azurerm_key_vault |
Ensure that key vault enables soft delete |
Terraform |
| 528 |
CKV_AZURE_112 |
resource |
azurerm_key_vault_key |
Ensure that key vault key is backed by HSM |
Terraform |
| 529 |
CKV_AZURE_113 |
resource |
azurerm_mssql_server |
Ensure that SQL server disables public network access |
Terraform |
| 530 |
CKV_AZURE_114 |
resource |
azurerm_key_vault_secret |
Ensure that key vault secrets have “content_type” set |
Terraform |
| 531 |
CKV_AZURE_115 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS enables private clusters |
Terraform |
| 532 |
CKV_AZURE_116 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS uses Azure Policies Add-on |
Terraform |
| 533 |
CKV_AZURE_117 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS uses disk encryption set |
Terraform |
| 534 |
CKV_AZURE_118 |
resource |
azurerm_network_interface |
Ensure that Network Interfaces disable IP forwarding |
Terraform |
| 535 |
CKV_AZURE_119 |
resource |
azurerm_network_interface |
Ensure that Network Interfaces don’t use public IPs |
Terraform |
| 536 |
CKV_AZURE_120 |
resource |
azurerm_application_gateway |
Ensure that Application Gateway enables WAF |
Terraform |
| 537 |
CKV_AZURE_121 |
resource |
azurerm_frontdoor |
Ensure that Azure Front Door enables WAF |
Terraform |
| 538 |
CKV_AZURE_122 |
resource |
azurerm_web_application_firewall_policy |
Ensure that Application Gateway uses WAF in “Detection” or “Prevention” modes |
Terraform |
| 539 |
CKV_AZURE_123 |
resource |
azurerm_frontdoor_firewall_policy |
Ensure that Azure Front Door uses WAF in “Detection” or “Prevention” modes |
Terraform |
| 540 |
CKV_AZURE_124 |
resource |
azurerm_search_service |
Ensure that Azure Cognitive Search disables public network access |
Terraform |
| 541 |
CKV_AZURE_125 |
resource |
azurerm_service_fabric_cluster |
Ensures that Active Directory is used for authentication for Service Fabric |
Terraform |
| 542 |
CKV_AZURE_126 |
resource |
azurerm_service_fabric_cluster |
Ensures that Active Directory is used for authentication for Service Fabric |
Terraform |
| 543 |
CKV_AZURE_127 |
resource |
azurerm_mysql_server |
Ensure that My SQL server enables Threat detection policy |
Terraform |
| 544 |
CKV_AZURE_128 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables Threat detection policy |
Terraform |
| 545 |
CKV_AZURE_129 |
resource |
azurerm_mariadb_server |
Ensure that MariaDB server enables geo-redundant backups |
Terraform |
| 546 |
CKV_AZURE_130 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables infrastructure encryption |
Terraform |
| 547 |
CKV_AZURE_131 |
resource |
azurerm_security_center_contact |
Ensure that ‘Security contact emails’ is set |
Terraform |
| 548 |
CKV_AZURE_131 |
parameter |
secureString |
SecureString parameter should not have hardcoded default values |
arm |
| 549 |
CKV2_AZURE_1 |
resource |
azurerm_storage_account |
Ensure storage for critical data are encrypted with Customer Managed Key |
Terraform |
| 550 |
CKV2_AZURE_2 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Terraform |
| 551 |
CKV2_AZURE_2 |
resource |
azurerm_sql_server |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Terraform |
| 552 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
| 553 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
| 554 |
CKV2_AZURE_3 |
resource |
azurerm_sql_server |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
| 555 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
| 556 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
| 557 |
CKV2_AZURE_4 |
resource |
azurerm_sql_server |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
| 558 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
| 559 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
| 560 |
CKV2_AZURE_5 |
resource |
azurerm_sql_server |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
| 561 |
CKV2_AZURE_6 |
resource |
azurerm_sql_firewall_rule |
Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled |
Terraform |
| 562 |
CKV2_AZURE_6 |
resource |
azurerm_sql_server |
Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled |
Terraform |
| 563 |
CKV2_AZURE_7 |
resource |
azurerm_sql_server |
Ensure that Azure Active Directory Admin is configured |
Terraform |
| 564 |
CKV2_AZURE_8 |
resource |
azurerm_monitor_activity_log_alert |
Ensure the storage container storing the activity logs is not publicly accessible |
Terraform |
| 565 |
CKV2_AZURE_8 |
resource |
azurerm_storage_container |
Ensure the storage container storing the activity logs is not publicly accessible |
Terraform |
| 566 |
CKV2_AZURE_9 |
resource |
azurerm_virtual_machine |
Ensure Virtual Machines are utilizing Managed Disks |
Terraform |
| 567 |
CKV2_AZURE_10 |
resource |
azurerm_virtual_machine_extension |
Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
Terraform |
| 568 |
CKV2_AZURE_10 |
resource |
azurerm_virtual_machine |
Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
Terraform |
| 569 |
CKV2_AZURE_11 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer encryption at rest uses a customer-managed key |
Terraform |
| 570 |
CKV2_AZURE_12 |
resource |
azurerm_virtual_machine |
Ensure that virtual machines are backed up using Azure Backup |
Terraform |
| 571 |
CKV2_AZURE_13 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that sql servers enables data security policy |
Terraform |
| 572 |
CKV2_AZURE_13 |
resource |
azurerm_sql_server |
Ensure that sql servers enables data security policy |
Terraform |
| 573 |
CKV2_AZURE_14 |
resource |
azurerm_managed_disk |
Ensure that Unattached disks are encrypted |
Terraform |
| 574 |
CKV2_AZURE_14 |
resource |
azurerm_virtual_machine |
Ensure that Unattached disks are encrypted |
Terraform |
| 575 |
CKV2_AZURE_15 |
resource |
azurerm_data_factory |
Ensure that Azure data factories are encrypted with a customer-managed key |
Terraform |
| 576 |
CKV2_AZURE_16 |
resource |
azurerm_mysql_server_key |
Ensure that MySQL server enables customer-managed key for encryption |
Terraform |
| 577 |
CKV2_AZURE_16 |
resource |
azurerm_mysql_server |
Ensure that MySQL server enables customer-managed key for encryption |
Terraform |
| 578 |
CKV2_AZURE_17 |
resource |
azurerm_postgresql_server_key |
Ensure that PostgreSQL server enables customer-managed key for encryption |
Terraform |
| 579 |
CKV2_AZURE_17 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables customer-managed key for encryption |
Terraform |
| 580 |
CKV2_AZURE_18 |
resource |
azurerm_storage_account_customer_managed_key |
Ensure that Storage Accounts use customer-managed key for encryption |
Terraform |
| 581 |
CKV2_AZURE_18 |
resource |
azurerm_storage_account |
Ensure that Storage Accounts use customer-managed key for encryption |
Terraform |
| 582 |
CKV2_AZURE_19 |
resource |
azurerm_synapse_workspace |
Ensure that Azure Synapse workspaces have no IP firewall rules attached |
Terraform |
| 583 |
CKV2_AZURE_20 |
resource |
azurerm_storage_table |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
| 584 |
CKV2_AZURE_20 |
resource |
azurerm_log_analytics_storage_insights |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
| 585 |
CKV2_AZURE_20 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
| 586 |
CKV2_AZURE_21 |
resource |
azurerm_log_analytics_storage_insights |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
| 587 |
CKV2_AZURE_21 |
resource |
azurerm_storage_container |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
| 588 |
CKV2_AZURE_21 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
| 589 |
CKV_DOCKER_1 |
dockerfile |
EXPOSE |
Ensure port 22 is not exposed |
dockerfile |
| 590 |
CKV_DOCKER_2 |
dockerfile |
* |
Ensure that HEALTHCHECK instructions have been added to container images |
dockerfile |
| 591 |
CKV_DOCKER_3 |
dockerfile |
* |
Ensure that a user for the container has been created |
dockerfile |
| 592 |
CKV_DOCKER_4 |
dockerfile |
ADD |
Ensure that COPY is used instead of ADD in Dockerfiles |
dockerfile |
| 593 |
CKV_DOCKER_5 |
dockerfile |
RUN |
Ensure update instructions are not use alone in the Dockerfile |
dockerfile |
| 594 |
CKV_DOCKER_6 |
dockerfile |
MAINTAINER |
Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) |
dockerfile |
| 595 |
CKV_DOCKER_7 |
dockerfile |
FROM |
Ensure the base image uses a non latest version tag |
dockerfile |
| 596 |
CKV_DOCKER_8 |
dockerfile |
USER |
Ensure the last USER is not root |
dockerfile |
| 597 |
CKV_GCP_1 |
resource |
google_container_cluster |
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Terraform |
| 598 |
CKV_GCP_2 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted ssh access |
Terraform |
| 599 |
CKV_GCP_3 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted rdp access |
Terraform |
| 600 |
CKV_GCP_4 |
resource |
google_compute_ssl_policy |
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites |
Terraform |
| 601 |
CKV_GCP_6 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance requires all incoming connections to use SSL |
Terraform |
| 602 |
CKV_GCP_7 |
resource |
google_container_cluster |
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
Terraform |
| 603 |
CKV_GCP_8 |
resource |
google_container_cluster |
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Terraform |
| 604 |
CKV_GCP_9 |
resource |
google_container_node_pool |
Ensure ‘Automatic node repair’ is enabled for Kubernetes Clusters |
Terraform |
| 605 |
CKV_GCP_10 |
resource |
google_container_node_pool |
Ensure ‘Automatic node upgrade’ is enabled for Kubernetes Clusters |
Terraform |
| 606 |
CKV_GCP_11 |
resource |
google_sql_database_instance |
Ensure that Cloud SQL database Instances are not open to the world |
Terraform |
| 607 |
CKV_GCP_12 |
resource |
google_container_cluster |
Ensure Network Policy is enabled on Kubernetes Engine Clusters |
Terraform |
| 608 |
CKV_GCP_13 |
resource |
google_container_cluster |
Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters |
Terraform |
| 609 |
CKV_GCP_14 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance have backup configuration enabled |
Terraform |
| 610 |
CKV_GCP_15 |
resource |
google_bigquery_dataset |
Ensure that BigQuery datasets are not anonymously or publicly accessible |
Terraform |
| 611 |
CKV_GCP_16 |
resource |
google_dns_managed_zone |
Ensure that DNSSEC is enabled for Cloud DNS |
Terraform |
| 612 |
CKV_GCP_17 |
resource |
google_dns_managed_zone |
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC |
Terraform |
| 613 |
CKV_GCP_18 |
resource |
google_container_cluster |
Ensure GKE Control Plane is not public |
Terraform |
| 614 |
CKV_GCP_19 |
resource |
google_container_cluster |
Ensure GKE basic auth is disabled |
Terraform |
| 615 |
CKV_GCP_20 |
resource |
google_container_cluster |
Ensure master authorized networks is set to enabled in GKE clusters |
Terraform |
| 616 |
CKV_GCP_21 |
resource |
google_container_cluster |
Ensure Kubernetes Clusters are configured with Labels |
Terraform |
| 617 |
CKV_GCP_22 |
resource |
google_container_node_pool |
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Terraform |
| 618 |
CKV_GCP_23 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
Terraform |
| 619 |
CKV_GCP_24 |
resource |
google_container_cluster |
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters |
Terraform |
| 620 |
CKV_GCP_25 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Private cluster enabled |
Terraform |
| 621 |
CKV_GCP_26 |
resource |
google_compute_subnetwork |
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network |
Terraform |
| 622 |
CKV_GCP_27 |
resource |
google_project |
Ensure that the default network does not exist in a project |
Terraform |
| 623 |
CKV_GCP_28 |
resource |
google_storage_bucket_iam_member |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Terraform |
| 624 |
CKV_GCP_28 |
resource |
google_storage_bucket_iam_binding |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Terraform |
| 625 |
CKV_GCP_29 |
resource |
google_storage_bucket |
Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
Terraform |
| 626 |
CKV_GCP_30 |
resource |
google_compute_instance |
Ensure that instances are not configured to use the default service account |
Terraform |
| 627 |
CKV_GCP_31 |
resource |
google_compute_instance |
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
Terraform |
| 628 |
CKV_GCP_32 |
resource |
google_compute_instance |
Ensure ‘Block Project-wide SSH keys’ is enabled for VM instances |
Terraform |
| 629 |
CKV_GCP_33 |
resource |
google_compute_project_metadata |
Ensure oslogin is enabled for a Project |
Terraform |
| 630 |
CKV_GCP_34 |
resource |
google_compute_instance |
Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) |
Terraform |
| 631 |
CKV_GCP_35 |
resource |
google_compute_instance |
Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance |
Terraform |
| 632 |
CKV_GCP_36 |
resource |
google_compute_instance |
Ensure that IP forwarding is not enabled on Instances |
Terraform |
| 633 |
CKV_GCP_37 |
resource |
google_compute_disk |
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
| 634 |
CKV_GCP_38 |
resource |
google_compute_instance |
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
| 635 |
CKV_GCP_39 |
resource |
google_compute_instance |
Ensure Compute instances are launched with Shielded VM enabled |
Terraform |
| 636 |
CKV_GCP_40 |
resource |
google_compute_instance |
Ensure that Compute instances do not have public IP addresses |
Terraform |
| 637 |
CKV_GCP_41 |
resource |
google_project_iam_member |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
Terraform |
| 638 |
CKV_GCP_41 |
resource |
google_project_iam_binding |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
Terraform |
| 639 |
CKV_GCP_42 |
resource |
google_project_iam_member |
Ensure that Service Account has no Admin privileges |
Terraform |
| 640 |
CKV_GCP_43 |
resource |
google_kms_crypto_key |
Ensure KMS encryption keys are rotated within a period of 90 days |
Terraform |
| 641 |
CKV_GCP_44 |
resource |
google_folder_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level |
Terraform |
| 642 |
CKV_GCP_44 |
resource |
google_folder_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level |
Terraform |
| 643 |
CKV_GCP_45 |
resource |
google_organization_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level |
Terraform |
| 644 |
CKV_GCP_45 |
resource |
google_organization_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level |
Terraform |
| 645 |
CKV_GCP_46 |
resource |
google_project_iam_member |
Ensure Default Service account is not used at a project level |
Terraform |
| 646 |
CKV_GCP_46 |
resource |
google_project_iam_binding |
Ensure Default Service account is not used at a project level |
Terraform |
| 647 |
CKV_GCP_47 |
resource |
google_organization_iam_member |
Ensure default service account is not used at an organization level |
Terraform |
| 648 |
CKV_GCP_47 |
resource |
google_organization_iam_binding |
Ensure default service account is not used at an organization level |
Terraform |
| 649 |
CKV_GCP_48 |
resource |
google_folder_iam_member |
Ensure Default Service account is not used at a folder level |
Terraform |
| 650 |
CKV_GCP_48 |
resource |
google_folder_iam_binding |
Ensure Default Service account is not used at a folder level |
Terraform |
| 651 |
CKV_GCP_49 |
resource |
google_project_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at a project level |
Terraform |
| 652 |
CKV_GCP_49 |
resource |
google_project_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at a project level |
Terraform |
| 653 |
CKV_GCP_50 |
resource |
google_sql_database_instance |
Ensure MySQL database ‘local_infile’ flag is set to ‘off’ |
Terraform |
| 654 |
CKV_GCP_51 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_checkpoints’ flag is set to ‘on’ |
Terraform |
| 655 |
CKV_GCP_52 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_connections’ flag is set to ‘on’ |
Terraform |
| 656 |
CKV_GCP_53 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_disconnections’ flag is set to ‘on’ |
Terraform |
| 657 |
CKV_GCP_54 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_lock_waits’ flag is set to ‘on’ |
Terraform |
| 658 |
CKV_GCP_55 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_min_messages’ flag is set to a valid value |
Terraform |
| 659 |
CKV_GCP_56 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_temp_files flag is set to ‘0’ |
Terraform |
| 660 |
CKV_GCP_57 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_min_duration_statement’ flag is set to ‘-1’ |
Terraform |
| 661 |
CKV_GCP_58 |
resource |
google_sql_database_instance |
Ensure SQL database ‘cross db ownership chaining’ flag is set to ‘off’ |
Terraform |
| 662 |
CKV_GCP_59 |
resource |
google_sql_database_instance |
Ensure SQL database ‘contained database authentication’ flag is set to ‘off’ |
Terraform |
| 663 |
CKV_GCP_60 |
resource |
google_sql_database_instance |
Ensure SQL database do not have public IP |
Terraform |
| 664 |
CKV_GCP_61 |
resource |
google_container_cluster |
Enable VPC Flow Logs and Intranode Visibility |
Terraform |
| 665 |
CKV_GCP_62 |
resource |
google_storage_bucket |
Bucket should log access |
Terraform |
| 666 |
CKV_GCP_63 |
resource |
google_storage_bucket |
Bucket should not log to itself |
Terraform |
| 667 |
CKV_GCP_64 |
resource |
google_container_cluster |
Ensure clusters are created with Private Nodes |
Terraform |
| 668 |
CKV_GCP_65 |
resource |
google_container_cluster |
Manage Kubernetes RBAC users with Google Groups for GKE |
Terraform |
| 669 |
CKV_GCP_66 |
resource |
google_container_cluster |
Ensure use of Binary Authorization |
Terraform |
| 670 |
CKV_GCP_67 |
resource |
google_container_cluster |
Ensure legacy Compute Engine instance metadata APIs are Disabled |
Terraform |
| 671 |
CKV_GCP_68 |
resource |
google_container_cluster |
Ensure Secure Boot for Shielded GKE Nodes is Enabled |
Terraform |
| 672 |
CKV_GCP_68 |
resource |
google_container_node_pool |
Ensure Secure Boot for Shielded GKE Nodes is Enabled |
Terraform |
| 673 |
CKV_GCP_69 |
resource |
google_container_cluster |
Ensure the GKE Metadata Server is Enabled |
Terraform |
| 674 |
CKV_GCP_69 |
resource |
google_container_node_pool |
Ensure the GKE Metadata Server is Enabled |
Terraform |
| 675 |
CKV_GCP_70 |
resource |
google_container_cluster |
Ensure the GKE Release Channel is set |
Terraform |
| 676 |
CKV_GCP_71 |
resource |
google_container_cluster |
Ensure Shielded GKE Nodes are Enabled |
Terraform |
| 677 |
CKV_GCP_72 |
resource |
google_container_cluster |
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
Terraform |
| 678 |
CKV_GCP_72 |
resource |
google_container_node_pool |
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
Terraform |
| 679 |
CKV2_GCP_1 |
resource |
google_project_default_service_accounts |
Ensure GKE clusters are not running using the Compute Engine default service account |
Terraform |
| 680 |
CKV2_GCP_2 |
resource |
google_compute_network |
Ensure legacy networks do not exist for a project |
Terraform |
| 681 |
CKV2_GCP_3 |
resource |
google_identity_platform_tenant_default_supported_idp_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 682 |
CKV2_GCP_3 |
resource |
google_monitoring_uptime_check_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 683 |
CKV2_GCP_3 |
resource |
google_storage_default_object_access_control |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 684 |
CKV2_GCP_3 |
resource |
google_logging_billing_account_exclusion |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 685 |
CKV2_GCP_3 |
resource |
google_compute_backend_service |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 686 |
CKV2_GCP_3 |
resource |
google_compute_url_map |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 687 |
CKV2_GCP_3 |
resource |
google_dialogflow_entity_type |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 688 |
CKV2_GCP_3 |
resource |
google_compute_network_peering_routes_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 689 |
CKV2_GCP_3 |
resource |
google_container_registry |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 690 |
CKV2_GCP_3 |
resource |
google_bigtable_app_profile |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 691 |
CKV2_GCP_3 |
resource |
google_access_context_manager_service_perimeter |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 692 |
CKV2_GCP_3 |
resource |
google_service_account_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 693 |
CKV2_GCP_3 |
resource |
google_storage_bucket_iam_binding |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 694 |
CKV2_GCP_3 |
resource |
google_compute_disk |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 695 |
CKV2_GCP_3 |
resource |
google_compute_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 696 |
CKV2_GCP_3 |
resource |
google_dataproc_cluster |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 697 |
CKV2_GCP_3 |
resource |
google_compute_disk_resource_policy_attachment |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 698 |
CKV2_GCP_3 |
resource |
google_logging_folder_exclusion |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 699 |
CKV2_GCP_3 |
resource |
google_iap_web_backend_service_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 700 |
CKV2_GCP_3 |
resource |
google_monitoring_alert_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 701 |
CKV2_GCP_3 |
resource |
google_usage_export_bucket |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 702 |
CKV2_GCP_3 |
resource |
google_bigtable_gc_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 703 |
CKV2_GCP_3 |
resource |
google_organization_iam_binding |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 704 |
CKV2_GCP_3 |
resource |
google_cloud_scheduler_job |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 705 |
CKV2_GCP_3 |
resource |
google_compute_subnetwork |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 706 |
CKV2_GCP_3 |
resource |
google_compute_target_http_proxy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 707 |
CKV2_GCP_3 |
resource |
google_logging_folder_bucket_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 708 |
CKV2_GCP_3 |
resource |
google_firestore_index |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 709 |
CKV2_GCP_3 |
resource |
google_iap_app_engine_version_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 710 |
CKV2_GCP_3 |
resource |
google_cloud_run_domain_mapping |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 711 |
CKV2_GCP_3 |
resource |
google_compute_region_instance_group_manager |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 712 |
CKV2_GCP_3 |
resource |
google_project_organization_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 713 |
CKV2_GCP_3 |
resource |
google_folder_iam_audit_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 714 |
CKV2_GCP_3 |
resource |
google_runtimeconfig_config_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 715 |
CKV2_GCP_3 |
resource |
google_network_management_connectivity_test_resource |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 716 |
CKV2_GCP_3 |
resource |
google_compute_http_health_check |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 717 |
CKV2_GCP_3 |
resource |
google_iap_web_type_app_engine_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 718 |
CKV2_GCP_3 |
resource |
google_compute_network |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 719 |
CKV2_GCP_3 |
resource |
google_monitoring_metric_descriptor |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 720 |
CKV2_GCP_3 |
resource |
google_sql_user |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 721 |
CKV2_GCP_3 |
resource |
google_tpu_node |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 722 |
CKV2_GCP_3 |
resource |
google_compute_reservation |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 723 |
CKV2_GCP_3 |
resource |
google_compute_target_pool |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 724 |
CKV2_GCP_3 |
resource |
google_storage_default_object_acl |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 725 |
CKV2_GCP_3 |
resource |
google_compute_target_https_proxy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 726 |
CKV2_GCP_3 |
resource |
google_identity_platform_default_supported_idp_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 727 |
CKV2_GCP_3 |
resource |
google_compute_global_forwarding_rule |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 728 |
CKV2_GCP_3 |
resource |
google_logging_billing_account_bucket_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 729 |
CKV2_GCP_3 |
resource |
google_logging_project_bucket_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 730 |
CKV2_GCP_3 |
resource |
google_pubsub_subscription_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 731 |
CKV2_GCP_3 |
resource |
google_data_catalog_entry_group |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 732 |
CKV2_GCP_3 |
resource |
google_logging_organization_exclusion |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 733 |
CKV2_GCP_3 |
resource |
google_folder_iam_binding |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 734 |
CKV2_GCP_3 |
resource |
google_healthcare_dataset |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 735 |
CKV2_GCP_3 |
resource |
google_logging_project_exclusion |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 736 |
CKV2_GCP_3 |
resource |
google_compute_autoscaler |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 737 |
CKV2_GCP_3 |
resource |
google_iap_brand |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 738 |
CKV2_GCP_3 |
resource |
google_monitoring_service |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 739 |
CKV2_GCP_3 |
resource |
google_bigquery_dataset |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 740 |
CKV2_GCP_3 |
resource |
google_iap_app_engine_service_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 741 |
CKV2_GCP_3 |
resource |
google_compute_vpn_tunnel |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 742 |
CKV2_GCP_3 |
resource |
google_container_analysis_occurrence |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 743 |
CKV2_GCP_3 |
resource |
google_identity_platform_tenant |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 744 |
CKV2_GCP_3 |
resource |
google_folder_iam_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 745 |
CKV2_GCP_3 |
resource |
google_compute_instance_group_manager |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 746 |
CKV2_GCP_3 |
resource |
google_compute_region_target_https_proxy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 747 |
CKV2_GCP_3 |
resource |
google_storage_bucket_access_control |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 748 |
CKV2_GCP_3 |
resource |
google_dataproc_autoscaling_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 749 |
CKV2_GCP_3 |
resource |
google_dialogflow_agent |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 750 |
CKV2_GCP_3 |
resource |
google_identity_platform_inbound_saml_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 751 |
CKV2_GCP_3 |
resource |
google_secret_manager_secret_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 752 |
CKV2_GCP_3 |
resource |
google_scc_source |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 753 |
CKV2_GCP_3 |
resource |
google_data_catalog_tag_template |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 754 |
CKV2_GCP_3 |
resource |
google_iap_web_type_compute_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 755 |
CKV2_GCP_3 |
resource |
google_healthcare_fhir_store |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 756 |
CKV2_GCP_3 |
resource |
google_organization_iam_custom_role |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 757 |
CKV2_GCP_3 |
resource |
google_bigquery_dataset_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 758 |
CKV2_GCP_3 |
resource |
google_cloudbuild_trigger |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 759 |
CKV2_GCP_3 |
resource |
google_project_iam_member |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 760 |
CKV2_GCP_3 |
resource |
google_kms_key_ring |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 761 |
CKV2_GCP_3 |
resource |
google_compute_backend_bucket_signed_url_key |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 762 |
CKV2_GCP_3 |
resource |
google_cloud_asset_folder_feed |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 763 |
CKV2_GCP_3 |
resource |
google_dns_record_set |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 764 |
CKV2_GCP_3 |
resource |
google_compute_instance_template |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 765 |
CKV2_GCP_3 |
resource |
google_compute_resource_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 766 |
CKV2_GCP_3 |
resource |
google_runtimeconfig_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 767 |
CKV2_GCP_3 |
resource |
google_compute_target_ssl_proxy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 768 |
CKV2_GCP_3 |
resource |
google_compute_address |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 769 |
CKV2_GCP_3 |
resource |
google_container_cluster |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 770 |
CKV2_GCP_3 |
resource |
google_ml_engine_model |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 771 |
CKV2_GCP_3 |
resource |
google_compute_firewall |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 772 |
CKV2_GCP_3 |
resource |
google_compute_region_autoscaler |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 773 |
CKV2_GCP_3 |
resource |
google_storage_bucket_acl |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 774 |
CKV2_GCP_3 |
resource |
google_data_catalog_tag |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 775 |
CKV2_GCP_3 |
resource |
google_dataproc_cluster_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 776 |
CKV2_GCP_3 |
resource |
google_project |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 777 |
CKV2_GCP_3 |
resource |
google_bigquery_dataset_access |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 778 |
CKV2_GCP_3 |
resource |
google_healthcare_dataset_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 779 |
CKV2_GCP_3 |
resource |
google_composer_environment |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 780 |
CKV2_GCP_3 |
resource |
google_compute_project_metadata |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 781 |
CKV2_GCP_3 |
resource |
google_sourcerepo_repository |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 782 |
CKV2_GCP_3 |
resource |
google_spanner_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 783 |
CKV2_GCP_3 |
resource |
google_compute_target_tcp_proxy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 784 |
CKV2_GCP_3 |
resource |
google_redis_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 785 |
CKV2_GCP_3 |
resource |
google_compute_node_group |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 786 |
CKV2_GCP_3 |
resource |
google_organization_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 787 |
CKV2_GCP_3 |
resource |
google_compute_forwarding_rule |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 788 |
CKV2_GCP_3 |
resource |
google_healthcare_dicom_store_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 789 |
CKV2_GCP_3 |
resource |
google_storage_bucket_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 790 |
CKV2_GCP_3 |
resource |
google_storage_object_access_control |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 791 |
CKV2_GCP_3 |
resource |
google_compute_project_default_network_tier |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 792 |
CKV2_GCP_3 |
resource |
google_compute_region_health_check |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 793 |
CKV2_GCP_3 |
resource |
google_pubsub_topic_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 794 |
CKV2_GCP_3 |
resource |
google_deployment_manager_deployment |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 795 |
CKV2_GCP_3 |
resource |
google_kms_key_ring_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 796 |
CKV2_GCP_3 |
resource |
google_app_engine_firewall_rule |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 797 |
CKV2_GCP_3 |
resource |
google_compute_router_interface |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 798 |
CKV2_GCP_3 |
resource |
google_folder |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 799 |
CKV2_GCP_3 |
resource |
google_compute_network_endpoint |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 800 |
CKV2_GCP_3 |
resource |
google_compute_security_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 801 |
CKV2_GCP_3 |
resource |
google_dialogflow_intent |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 802 |
CKV2_GCP_3 |
resource |
google_access_context_manager_service_perimeter_resource |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 803 |
CKV2_GCP_3 |
resource |
google_compute_shared_vpc_host_project |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 804 |
CKV2_GCP_3 |
resource |
google_compute_global_address |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 805 |
CKV2_GCP_3 |
resource |
google_cloudfunctions_function |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 806 |
CKV2_GCP_3 |
resource |
google_compute_ssl_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 807 |
CKV2_GCP_3 |
resource |
google_billing_account_iam_binding |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 808 |
CKV2_GCP_3 |
resource |
google_compute_instance_group_named_port |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 809 |
CKV2_GCP_3 |
resource |
google_compute_instance_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 810 |
CKV2_GCP_3 |
resource |
google_compute_route |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 811 |
CKV2_GCP_3 |
resource |
google_cloudiot_device |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 812 |
CKV2_GCP_3 |
resource |
google_spanner_instance_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 813 |
CKV2_GCP_3 |
resource |
google_compute_global_network_endpoint_group |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 814 |
CKV2_GCP_3 |
resource |
google_healthcare_hl7_v2_store_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 815 |
CKV2_GCP_3 |
resource |
google_app_engine_domain_mapping |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 816 |
CKV2_GCP_3 |
resource |
google_spanner_database |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 817 |
CKV2_GCP_3 |
resource |
google_bigquery_data_transfer_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 818 |
CKV2_GCP_3 |
resource |
google_compute_interconnect_attachment |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 819 |
CKV2_GCP_3 |
resource |
google_storage_transfer_job |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 820 |
CKV2_GCP_3 |
resource |
google_identity_platform_tenant_inbound_saml_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 821 |
CKV2_GCP_3 |
resource |
google_pubsub_subscription |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 822 |
CKV2_GCP_3 |
resource |
google_cloud_asset_organization_feed |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 823 |
CKV2_GCP_3 |
resource |
google_compute_router |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 824 |
CKV2_GCP_3 |
resource |
google_storage_bucket |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 825 |
CKV2_GCP_3 |
resource |
google_bigtable_table |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 826 |
CKV2_GCP_3 |
resource |
google_cloud_run_service_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 827 |
CKV2_GCP_3 |
resource |
google_logging_billing_account_sink |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 828 |
CKV2_GCP_3 |
resource |
google_spanner_database_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 829 |
CKV2_GCP_3 |
resource |
google_compute_node_template |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 830 |
CKV2_GCP_3 |
resource |
google_binary_authorization_attestor_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 831 |
CKV2_GCP_3 |
resource |
google_compute_image |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 832 |
CKV2_GCP_3 |
resource |
google_iap_client |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 833 |
CKV2_GCP_3 |
resource |
google_pubsub_topic |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 834 |
CKV2_GCP_3 |
resource |
google_project_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 835 |
CKV2_GCP_3 |
resource |
google_logging_organization_bucket_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 836 |
CKV2_GCP_3 |
resource |
google_healthcare_dicom_store |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 837 |
CKV2_GCP_3 |
resource |
google_compute_region_ssl_certificate |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 838 |
CKV2_GCP_3 |
resource |
google_compute_attached_disk |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 839 |
CKV2_GCP_3 |
resource |
google_bigtable_instance_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 840 |
CKV2_GCP_3 |
resource |
google_identity_platform_tenant_oauth_idp_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 841 |
CKV2_GCP_3 |
resource |
google_datastore_index |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 842 |
CKV2_GCP_3 |
resource |
google_access_context_manager_access_level |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 843 |
CKV2_GCP_3 |
resource |
google_secret_manager_secret |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 844 |
CKV2_GCP_3 |
resource |
google_logging_folder_sink |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 845 |
CKV2_GCP_3 |
resource |
google_kms_key_ring_import_job |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 846 |
CKV2_GCP_3 |
resource |
google_active_directory_domain |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 847 |
CKV2_GCP_3 |
resource |
google_app_engine_standard_app_version |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 848 |
CKV2_GCP_3 |
resource |
google_sql_database_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 849 |
CKV2_GCP_3 |
resource |
google_kms_secret_ciphertext |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 850 |
CKV2_GCP_3 |
resource |
google_folder_organization_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 851 |
CKV2_GCP_3 |
resource |
google_os_config_patch_deployment |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 852 |
CKV2_GCP_3 |
resource |
google_data_catalog_entry |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 853 |
CKV2_GCP_3 |
resource |
google_secret_manager_secret_version |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 854 |
CKV2_GCP_3 |
resource |
google_cloud_asset_project_feed |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 855 |
CKV2_GCP_3 |
resource |
google_service_account_key |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 856 |
CKV2_GCP_3 |
resource |
google_service_networking_connection |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 857 |
CKV2_GCP_3 |
resource |
google_dataflow_flex_template_job |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 858 |
CKV2_GCP_3 |
resource |
google_project_service |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 859 |
CKV2_GCP_3 |
resource |
google_bigtable_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 860 |
CKV2_GCP_3 |
resource |
google_identity_platform_oauth_idp_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 861 |
CKV2_GCP_3 |
resource |
google_dataflow_job |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 862 |
CKV2_GCP_3 |
resource |
google_dataproc_job_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 863 |
CKV2_GCP_3 |
resource |
google_logging_metric |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 864 |
CKV2_GCP_3 |
resource |
google_healthcare_fhir_store_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 865 |
CKV2_GCP_3 |
resource |
google_organization_iam_audit_config |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 866 |
CKV2_GCP_3 |
resource |
google_organization_iam_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 867 |
CKV2_GCP_3 |
resource |
google_healthcare_hl7_v2_store |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 868 |
CKV2_GCP_3 |
resource |
google_storage_notification |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 869 |
CKV2_GCP_3 |
resource |
google_binary_authorization_attestor |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 870 |
CKV2_GCP_3 |
resource |
google_access_context_manager_access_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 871 |
CKV2_GCP_3 |
resource |
google_app_engine_application |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 872 |
CKV2_GCP_3 |
resource |
google_logging_project_sink |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 873 |
CKV2_GCP_3 |
resource |
google_kms_crypto_key_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 874 |
CKV2_GCP_3 |
resource |
google_container_node_pool |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 875 |
CKV2_GCP_3 |
resource |
google_resource_manager_lien |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 876 |
CKV2_GCP_3 |
resource |
google_runtimeconfig_variable |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 877 |
CKV2_GCP_3 |
resource |
google_compute_backend_bucket |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 878 |
CKV2_GCP_3 |
resource |
google_kms_crypto_key |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 879 |
CKV2_GCP_3 |
resource |
google_billing_account_iam_member |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 880 |
CKV2_GCP_3 |
resource |
google_compute_router_bgp_peer |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 881 |
CKV2_GCP_3 |
resource |
google_filestore_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 882 |
CKV2_GCP_3 |
resource |
google_compute_region_url_map |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 883 |
CKV2_GCP_3 |
resource |
google_compute_router_nat |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 884 |
CKV2_GCP_3 |
resource |
google_project_iam_binding |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 885 |
CKV2_GCP_3 |
resource |
google_compute_network_endpoint_group |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 886 |
CKV2_GCP_3 |
resource |
google_compute_target_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 887 |
CKV2_GCP_3 |
resource |
google_storage_hmac_key |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 888 |
CKV2_GCP_3 |
resource |
google_compute_https_health_check |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 889 |
CKV2_GCP_3 |
resource |
google_compute_network_peering |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 890 |
CKV2_GCP_3 |
resource |
google_dataproc_job |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 891 |
CKV2_GCP_3 |
resource |
google_compute_instance_from_template |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 892 |
CKV2_GCP_3 |
resource |
google_compute_region_disk |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 893 |
CKV2_GCP_3 |
resource |
google_monitoring_notification_channel |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 894 |
CKV2_GCP_3 |
resource |
google_bigquery_job |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 895 |
CKV2_GCP_3 |
resource |
google_cloudiot_device_registry |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 896 |
CKV2_GCP_3 |
resource |
google_iap_web_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 897 |
CKV2_GCP_3 |
resource |
google_cloudfunctions_cloud_function_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 898 |
CKV2_GCP_3 |
resource |
google_service_account |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 899 |
CKV2_GCP_3 |
resource |
google_sql_ssl_cert |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 900 |
CKV2_GCP_3 |
resource |
google_compute_backend_service_signed_url_key |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 901 |
CKV2_GCP_3 |
resource |
google_app_engine_service_split_traffic |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 902 |
CKV2_GCP_3 |
resource |
google_bigquery_table |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 903 |
CKV2_GCP_3 |
resource |
google_monitoring_group |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 904 |
CKV2_GCP_3 |
resource |
google_monitoring_slo |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 905 |
CKV2_GCP_3 |
resource |
google_logging_organization_sink |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 906 |
CKV2_GCP_3 |
resource |
google_organization_iam_member |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 907 |
CKV2_GCP_3 |
resource |
google_compute_region_backend_service |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 908 |
CKV2_GCP_3 |
resource |
google_compute_region_target_http_proxy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 909 |
CKV2_GCP_3 |
resource |
google_compute_region_disk_resource_policy_attachment |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 910 |
CKV2_GCP_3 |
resource |
google_sql_source_representation_instance |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 911 |
CKV2_GCP_3 |
resource |
google_cloud_run_service |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 912 |
CKV2_GCP_3 |
resource |
google_storage_bucket_object |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 913 |
CKV2_GCP_3 |
resource |
google_endpoints_service_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 914 |
CKV2_GCP_3 |
resource |
google_container_analysis_note |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 915 |
CKV2_GCP_3 |
resource |
google_compute_project_metadata_item |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 916 |
CKV2_GCP_3 |
resource |
google_storage_bucket_iam_member |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 917 |
CKV2_GCP_3 |
resource |
google_monitoring_dashboard |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 918 |
CKV2_GCP_3 |
resource |
google_compute_snapshot |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 919 |
CKV2_GCP_3 |
resource |
google_project_iam_custom_role |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 920 |
CKV2_GCP_3 |
resource |
google_sourcerepo_repository_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 921 |
CKV2_GCP_3 |
resource |
google_compute_shared_vpc_service_project |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 922 |
CKV2_GCP_3 |
resource |
google_endpoints_service |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 923 |
CKV2_GCP_3 |
resource |
google_compute_instance_group |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 924 |
CKV2_GCP_3 |
resource |
google_iap_tunnel_instance_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 925 |
CKV2_GCP_3 |
resource |
google_folder_iam_member |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 926 |
CKV2_GCP_3 |
resource |
google_sql_database |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 927 |
CKV2_GCP_3 |
resource |
google_dns_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 928 |
CKV2_GCP_3 |
resource |
google_storage_object_acl |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 929 |
CKV2_GCP_3 |
resource |
google_compute_health_check |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 930 |
CKV2_GCP_3 |
resource |
google_app_engine_flexible_app_version |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 931 |
CKV2_GCP_3 |
resource |
google_cloud_tasks_queue |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 932 |
CKV2_GCP_3 |
resource |
google_dns_managed_zone |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 933 |
CKV2_GCP_3 |
resource |
google_data_catalog_entry_group_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 934 |
CKV2_GCP_3 |
resource |
google_app_engine_application_url_dispatch_rules |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 935 |
CKV2_GCP_3 |
resource |
google_billing_account_iam_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 936 |
CKV2_GCP_3 |
resource |
google_compute_vpn_gateway |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 937 |
CKV2_GCP_3 |
resource |
google_os_login_ssh_public_key |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 938 |
CKV2_GCP_3 |
resource |
google_vpc_access_connector |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 939 |
CKV2_GCP_3 |
resource |
google_compute_subnetwork_iam |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 940 |
CKV2_GCP_3 |
resource |
google_binary_authorization_policy |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 941 |
CKV2_GCP_3 |
resource |
google_compute_ssl_certificate |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 942 |
CKV2_GCP_3 |
resource |
google_compute_global_network_endpoint |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
| 943 |
CKV2_GCP_4 |
resource |
google_logging_organization_sink |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
| 944 |
CKV2_GCP_4 |
resource |
google_storage_bucket |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
| 945 |
CKV2_GCP_4 |
resource |
google_logging_project_sink |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
| 946 |
CKV2_GCP_4 |
resource |
google_logging_folder_sink |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
| 947 |
CKV2_GCP_5 |
resource |
google_project |
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
Terraform |
| 948 |
CKV2_GCP_5 |
resource |
google_project_iam_audit_config |
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
Terraform |
| 949 |
CKV2_GCP_6 |
resource |
google_kms_crypto_key |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
Terraform |
| 950 |
CKV2_GCP_6 |
resource |
google_kms_crypto_key_iam_member |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
Terraform |
| 951 |
CKV2_GCP_6 |
resource |
google_kms_crypto_key_iam_binding |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
Terraform |
| 952 |
CKV2_GCP_7 |
resource |
google_sql_user |
Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
Terraform |
| 953 |
CKV2_GCP_7 |
resource |
google_sql_database_instance |
Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
Terraform |
| 954 |
CKV_GIT_1 |
resource |
github_repository |
Ensure Repository is Private |
Terraform |
| 955 |
CKV_K8S_1 |
resource |
PodSecurityPolicy |
Do not admit containers wishing to share the host process ID namespace |
Kubernetes |
| 956 |
CKV_K8S_2 |
resource |
PodSecurityPolicy |
Do not admit privileged containers |
Kubernetes |
| 957 |
CKV_K8S_3 |
resource |
PodSecurityPolicy |
Do not admit containers wishing to share the host IPC namespace |
Kubernetes |
| 958 |
CKV_K8S_4 |
resource |
PodSecurityPolicy |
Do not admit containers wishing to share the host network namespace |
Kubernetes |
| 959 |
CKV_K8S_5 |
resource |
PodSecurityPolicy |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
| 960 |
CKV_K8S_6 |
resource |
PodSecurityPolicy |
Do not admit root containers |
Kubernetes |
| 961 |
CKV_K8S_7 |
resource |
PodSecurityPolicy |
Do not admit containers with the NET_RAW capability |
Kubernetes |
| 962 |
CKV_K8S_8 |
resource |
containers |
Liveness Probe Should be Configured |
Kubernetes |
| 963 |
CKV_K8S_9 |
resource |
containers |
Readiness Probe Should be Configured |
Kubernetes |
| 964 |
CKV_K8S_10 |
resource |
containers |
CPU requests should be set |
Kubernetes |
| 965 |
CKV_K8S_10 |
resource |
initContainers |
CPU requests should be set |
Kubernetes |
| 966 |
CKV_K8S_11 |
resource |
containers |
CPU limits should be set |
Kubernetes |
| 967 |
CKV_K8S_11 |
resource |
initContainers |
CPU limits should be set |
Kubernetes |
| 968 |
CKV_K8S_12 |
resource |
containers |
Memory requests should be set |
Kubernetes |
| 969 |
CKV_K8S_12 |
resource |
initContainers |
Memory requests should be set |
Kubernetes |
| 970 |
CKV_K8S_13 |
resource |
containers |
Memory limits should be set |
Kubernetes |
| 971 |
CKV_K8S_13 |
resource |
initContainers |
Memory limits should be set |
Kubernetes |
| 972 |
CKV_K8S_14 |
resource |
containers |
Image Tag should be fixed - not latest or blank |
Kubernetes |
| 973 |
CKV_K8S_14 |
resource |
initContainers |
Image Tag should be fixed - not latest or blank |
Kubernetes |
| 974 |
CKV_K8S_15 |
resource |
containers |
Image Pull Policy should be Always |
Kubernetes |
| 975 |
CKV_K8S_15 |
resource |
initContainers |
Image Pull Policy should be Always |
Kubernetes |
| 976 |
CKV_K8S_16 |
resource |
containers |
Container should not be privileged |
Kubernetes |
| 977 |
CKV_K8S_16 |
resource |
initContainers |
Container should not be privileged |
Kubernetes |
| 978 |
CKV_K8S_17 |
resource |
Pod |
Containers should not share the host process ID namespace |
Kubernetes |
| 979 |
CKV_K8S_17 |
resource |
Deployment |
Containers should not share the host process ID namespace |
Kubernetes |
| 980 |
CKV_K8S_17 |
resource |
DaemonSet |
Containers should not share the host process ID namespace |
Kubernetes |
| 981 |
CKV_K8S_17 |
resource |
StatefulSet |
Containers should not share the host process ID namespace |
Kubernetes |
| 982 |
CKV_K8S_17 |
resource |
ReplicaSet |
Containers should not share the host process ID namespace |
Kubernetes |
| 983 |
CKV_K8S_17 |
resource |
ReplicationController |
Containers should not share the host process ID namespace |
Kubernetes |
| 984 |
CKV_K8S_17 |
resource |
Job |
Containers should not share the host process ID namespace |
Kubernetes |
| 985 |
CKV_K8S_17 |
resource |
CronJob |
Containers should not share the host process ID namespace |
Kubernetes |
| 986 |
CKV_K8S_18 |
resource |
Pod |
Containers should not share the host IPC namespace |
Kubernetes |
| 987 |
CKV_K8S_18 |
resource |
Deployment |
Containers should not share the host IPC namespace |
Kubernetes |
| 988 |
CKV_K8S_18 |
resource |
DaemonSet |
Containers should not share the host IPC namespace |
Kubernetes |
| 989 |
CKV_K8S_18 |
resource |
StatefulSet |
Containers should not share the host IPC namespace |
Kubernetes |
| 990 |
CKV_K8S_18 |
resource |
ReplicaSet |
Containers should not share the host IPC namespace |
Kubernetes |
| 991 |
CKV_K8S_18 |
resource |
ReplicationController |
Containers should not share the host IPC namespace |
Kubernetes |
| 992 |
CKV_K8S_18 |
resource |
Job |
Containers should not share the host IPC namespace |
Kubernetes |
| 993 |
CKV_K8S_18 |
resource |
CronJob |
Containers should not share the host IPC namespace |
Kubernetes |
| 994 |
CKV_K8S_19 |
resource |
Pod |
Containers should not share the host network namespace |
Kubernetes |
| 995 |
CKV_K8S_19 |
resource |
Deployment |
Containers should not share the host network namespace |
Kubernetes |
| 996 |
CKV_K8S_19 |
resource |
DaemonSet |
Containers should not share the host network namespace |
Kubernetes |
| 997 |
CKV_K8S_19 |
resource |
StatefulSet |
Containers should not share the host network namespace |
Kubernetes |
| 998 |
CKV_K8S_19 |
resource |
ReplicaSet |
Containers should not share the host network namespace |
Kubernetes |
| 999 |
CKV_K8S_19 |
resource |
ReplicationController |
Containers should not share the host network namespace |
Kubernetes |
| 1000 |
CKV_K8S_19 |
resource |
Job |
Containers should not share the host network namespace |
Kubernetes |
| 1001 |
CKV_K8S_19 |
resource |
CronJob |
Containers should not share the host network namespace |
Kubernetes |
| 1002 |
CKV_K8S_20 |
resource |
containers |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
| 1003 |
CKV_K8S_20 |
resource |
initContainers |
Containers should not run with allowPrivilegeEscalation |
Kubernetes |
| 1004 |
CKV_K8S_21 |
resource |
Service |
The default namespace should not be used |
Kubernetes |
| 1005 |
CKV_K8S_21 |
resource |
Pod |
The default namespace should not be used |
Kubernetes |
| 1006 |
CKV_K8S_21 |
resource |
Deployment |
The default namespace should not be used |
Kubernetes |
| 1007 |
CKV_K8S_21 |
resource |
DaemonSet |
The default namespace should not be used |
Kubernetes |
| 1008 |
CKV_K8S_21 |
resource |
StatefulSet |
The default namespace should not be used |
Kubernetes |
| 1009 |
CKV_K8S_21 |
resource |
ReplicaSet |
The default namespace should not be used |
Kubernetes |
| 1010 |
CKV_K8S_21 |
resource |
ReplicationController |
The default namespace should not be used |
Kubernetes |
| 1011 |
CKV_K8S_21 |
resource |
Job |
The default namespace should not be used |
Kubernetes |
| 1012 |
CKV_K8S_21 |
resource |
CronJob |
The default namespace should not be used |
Kubernetes |
| 1013 |
CKV_K8S_21 |
resource |
Secret |
The default namespace should not be used |
Kubernetes |
| 1014 |
CKV_K8S_21 |
resource |
ServiceAccount |
The default namespace should not be used |
Kubernetes |
| 1015 |
CKV_K8S_21 |
resource |
Role |
The default namespace should not be used |
Kubernetes |
| 1016 |
CKV_K8S_21 |
resource |
RoleBinding |
The default namespace should not be used |
Kubernetes |
| 1017 |
CKV_K8S_21 |
resource |
ConfigMap |
The default namespace should not be used |
Kubernetes |
| 1018 |
CKV_K8S_21 |
resource |
Ingress |
The default namespace should not be used |
Kubernetes |
| 1019 |
CKV_K8S_22 |
resource |
containers |
Use read-only filesystem for containers where possible |
Kubernetes |
| 1020 |
CKV_K8S_22 |
resource |
initContainers |
Use read-only filesystem for containers where possible |
Kubernetes |
| 1021 |
CKV_K8S_23 |
resource |
Pod |
Minimize the admission of root containers |
Kubernetes |
| 1022 |
CKV_K8S_23 |
resource |
Deployment |
Minimize the admission of root containers |
Kubernetes |
| 1023 |
CKV_K8S_23 |
resource |
DaemonSet |
Minimize the admission of root containers |
Kubernetes |
| 1024 |
CKV_K8S_23 |
resource |
StatefulSet |
Minimize the admission of root containers |
Kubernetes |
| 1025 |
CKV_K8S_23 |
resource |
ReplicaSet |
Minimize the admission of root containers |
Kubernetes |
| 1026 |
CKV_K8S_23 |
resource |
ReplicationController |
Minimize the admission of root containers |
Kubernetes |
| 1027 |
CKV_K8S_23 |
resource |
Job |
Minimize the admission of root containers |
Kubernetes |
| 1028 |
CKV_K8S_23 |
resource |
CronJob |
Minimize the admission of root containers |
Kubernetes |
| 1029 |
CKV_K8S_24 |
resource |
PodSecurityPolicy |
Do not allow containers with added capability |
Kubernetes |
| 1030 |
CKV_K8S_25 |
resource |
containers |
Minimize the admission of containers with added capability |
Kubernetes |
| 1031 |
CKV_K8S_25 |
resource |
initContainers |
Minimize the admission of containers with added capability |
Kubernetes |
| 1032 |
CKV_K8S_26 |
resource |
containers |
Do not specify hostPort unless absolutely necessary |
Kubernetes |
| 1033 |
CKV_K8S_26 |
resource |
initContainers |
Do not specify hostPort unless absolutely necessary |
Kubernetes |
| 1034 |
CKV_K8S_27 |
resource |
Pod |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1035 |
CKV_K8S_27 |
resource |
Deployment |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1036 |
CKV_K8S_27 |
resource |
DaemonSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1037 |
CKV_K8S_27 |
resource |
StatefulSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1038 |
CKV_K8S_27 |
resource |
ReplicaSet |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1039 |
CKV_K8S_27 |
resource |
ReplicationController |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1040 |
CKV_K8S_27 |
resource |
Job |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1041 |
CKV_K8S_27 |
resource |
CronJob |
Do not expose the docker daemon socket to containers |
Kubernetes |
| 1042 |
CKV_K8S_28 |
resource |
containers |
Minimize the admission of containers with the NET_RAW capability |
Kubernetes |
| 1043 |
CKV_K8S_28 |
resource |
initContainers |
Minimize the admission of containers with the NET_RAW capability |
Kubernetes |
| 1044 |
CKV_K8S_29 |
resource |
Pod |
Apply security context to your pods and containers |
Kubernetes |
| 1045 |
CKV_K8S_29 |
resource |
Deployment |
Apply security context to your pods and containers |
Kubernetes |
| 1046 |
CKV_K8S_29 |
resource |
DaemonSet |
Apply security context to your pods and containers |
Kubernetes |
| 1047 |
CKV_K8S_29 |
resource |
StatefulSet |
Apply security context to your pods and containers |
Kubernetes |
| 1048 |
CKV_K8S_29 |
resource |
ReplicaSet |
Apply security context to your pods and containers |
Kubernetes |
| 1049 |
CKV_K8S_29 |
resource |
ReplicationController |
Apply security context to your pods and containers |
Kubernetes |
| 1050 |
CKV_K8S_29 |
resource |
Job |
Apply security context to your pods and containers |
Kubernetes |
| 1051 |
CKV_K8S_29 |
resource |
CronJob |
Apply security context to your pods and containers |
Kubernetes |
| 1052 |
CKV_K8S_30 |
resource |
containers |
Apply security context to your pods and containers |
Kubernetes |
| 1053 |
CKV_K8S_30 |
resource |
initContainers |
Apply security context to your pods and containers |
Kubernetes |
| 1054 |
CKV_K8S_31 |
resource |
Pod |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1055 |
CKV_K8S_31 |
resource |
Deployment |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1056 |
CKV_K8S_31 |
resource |
DaemonSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1057 |
CKV_K8S_31 |
resource |
StatefulSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1058 |
CKV_K8S_31 |
resource |
ReplicaSet |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1059 |
CKV_K8S_31 |
resource |
ReplicationController |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1060 |
CKV_K8S_31 |
resource |
Job |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1061 |
CKV_K8S_31 |
resource |
CronJob |
Ensure that the seccomp profile is set to docker/default or runtime/default |
Kubernetes |
| 1062 |
CKV_K8S_32 |
resource |
PodSecurityPolicy |
Ensure default seccomp profile set to docker/default or runtime/default |
Kubernetes |
| 1063 |
CKV_K8S_33 |
resource |
containers |
Ensure the Kubernetes dashboard is not deployed |
Kubernetes |
| 1064 |
CKV_K8S_33 |
resource |
initContainers |
Ensure the Kubernetes dashboard is not deployed |
Kubernetes |
| 1065 |
CKV_K8S_34 |
resource |
containers |
Ensure that Tiller (Helm v2) is not deployed |
Kubernetes |
| 1066 |
CKV_K8S_34 |
resource |
initContainers |
Ensure that Tiller (Helm v2) is not deployed |
Kubernetes |
| 1067 |
CKV_K8S_35 |
resource |
containers |
Prefer using secrets as files over secrets as environment variables |
Kubernetes |
| 1068 |
CKV_K8S_35 |
resource |
initContainers |
Prefer using secrets as files over secrets as environment variables |
Kubernetes |
| 1069 |
CKV_K8S_36 |
resource |
PodSecurityPolicy |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
| 1070 |
CKV_K8S_37 |
resource |
containers |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
| 1071 |
CKV_K8S_37 |
resource |
initContainers |
Minimize the admission of containers with capabilities assigned |
Kubernetes |
| 1072 |
CKV_K8S_38 |
resource |
Pod |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1073 |
CKV_K8S_38 |
resource |
Deployment |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1074 |
CKV_K8S_38 |
resource |
DaemonSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1075 |
CKV_K8S_38 |
resource |
StatefulSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1076 |
CKV_K8S_38 |
resource |
ReplicaSet |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1077 |
CKV_K8S_38 |
resource |
ReplicationController |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1078 |
CKV_K8S_38 |
resource |
Job |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1079 |
CKV_K8S_38 |
resource |
CronJob |
Ensure that Service Account Tokens are only mounted where necessary |
Kubernetes |
| 1080 |
CKV_K8S_39 |
resource |
containers |
Do not use the CAP_SYS_ADMIN linux capability |
Kubernetes |
| 1081 |
CKV_K8S_39 |
resource |
initContainers |
Do not use the CAP_SYS_ADMIN linux capability |
Kubernetes |
| 1082 |
CKV_K8S_40 |
resource |
Pod |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1083 |
CKV_K8S_40 |
resource |
Deployment |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1084 |
CKV_K8S_40 |
resource |
DaemonSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1085 |
CKV_K8S_40 |
resource |
StatefulSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1086 |
CKV_K8S_40 |
resource |
ReplicaSet |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1087 |
CKV_K8S_40 |
resource |
ReplicationController |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1088 |
CKV_K8S_40 |
resource |
Job |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1089 |
CKV_K8S_40 |
resource |
CronJob |
Containers should run as a high UID to avoid host conflict |
Kubernetes |
| 1090 |
CKV_K8S_41 |
resource |
ServiceAccount |
Ensure that default service accounts are not actively used |
Kubernetes |
| 1091 |
CKV_K8S_42 |
resource |
RoleBinding |
Ensure that default service accounts are not actively used |
Kubernetes |
| 1092 |
CKV_K8S_42 |
resource |
ClusterRoleBinding |
Ensure that default service accounts are not actively used |
Kubernetes |
| 1093 |
CKV_K8S_43 |
resource |
containers |
Image should use digest |
Kubernetes |
| 1094 |
CKV_K8S_43 |
resource |
initContainers |
Image should use digest |
Kubernetes |
| 1095 |
CKV_K8S_44 |
resource |
Service |
Ensure that the Tiller Service (Helm v2) is deleted |
Kubernetes |
| 1096 |
CKV_K8S_45 |
resource |
containers |
Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster |
Kubernetes |
| 1097 |
CKV_K8S_45 |
resource |
initContainers |
Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster |
Kubernetes |
| 1098 |
CKV_K8S_49 |
resource |
Role |
Minimize wildcard use in Roles and ClusterRoles |
Kubernetes |
| 1099 |
CKV_K8S_49 |
resource |
ClusterRole |
Minimize wildcard use in Roles and ClusterRoles |
Kubernetes |
| 1100 |
CKV_K8S_68 |
resource |
containers |
Ensure that the –anonymous-auth argument is set to false |
Kubernetes |
| 1101 |
CKV_K8S_69 |
resource |
containers |
Ensure that the –basic-auth-file argument is not set |
Kubernetes |
| 1102 |
CKV_K8S_70 |
resource |
containers |
Ensure that the –token-auth-file argument is not set |
Kubernetes |
| 1103 |
CKV_K8S_71 |
resource |
containers |
Ensure that the –kubelet-https argument is set to true |
Kubernetes |
| 1104 |
CKV_K8S_72 |
resource |
containers |
Ensure that the –kubelet-client-certificate and –kubelet-client-key arguments are set as appropriate |
Kubernetes |
| 1105 |
CKV_K8S_73 |
resource |
containers |
Ensure that the –kubelet-certificate-authority argument is set as appropriate |
Kubernetes |
| 1106 |
CKV_K8S_74 |
resource |
containers |
Ensure that the –authorization-mode argument is not set to AlwaysAllow |
Kubernetes |
| 1107 |
CKV_K8S_75 |
resource |
containers |
Ensure that the –authorization-mode argument includes Node |
Kubernetes |
| 1108 |
CKV_K8S_77 |
resource |
containers |
Ensure that the –authorization-mode argument includes RBAC |
Kubernetes |
| 1109 |
CKV_K8S_78 |
resource |
AdmissionConfiguration |
Ensure that the admission control plugin EventRateLimit is set |
Kubernetes |
| 1110 |
CKV_K8S_79 |
resource |
containers |
Ensure that the admission control plugin AlwaysAdmit is not set |
Kubernetes |
| 1111 |
CKV_K8S_80 |
resource |
containers |
Ensure that the admission control plugin AlwaysPullImages is set |
Kubernetes |
| 1112 |
CKV_K8S_81 |
resource |
containers |
Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used |
Kubernetes |
| 1113 |
CKV_K8S_82 |
resource |
containers |
Ensure that the admission control plugin ServiceAccount is set |
Kubernetes |
| 1114 |
CKV_K8S_83 |
resource |
containers |
Ensure that the admission control plugin NamespaceLifecycle is set |
Kubernetes |
| 1115 |
CKV_K8S_84 |
resource |
containers |
Ensure that the admission control plugin PodSecurityPolicy is set |
Kubernetes |
| 1116 |
CKV_K8S_85 |
resource |
containers |
Ensure that the admission control plugin NodeRestriction is set |
Kubernetes |
| 1117 |
CKV_K8S_86 |
resource |
containers |
Ensure that the –insecure-bind-address argument is not set |
Kubernetes |
| 1118 |
CKV_K8S_88 |
resource |
containers |
Ensure that the –insecure-port argument is set to 0 |
Kubernetes |
| 1119 |
CKV_K8S_89 |
resource |
containers |
Ensure that the –secure-port argument is not set to 0 |
Kubernetes |
| 1120 |
CKV_K8S_90 |
resource |
containers |
Ensure that the –profiling argument is set to false |
Kubernetes |
| 1121 |
CKV_K8S_91 |
resource |
containers |
Ensure that the –audit-log-path argument is set |
Kubernetes |
| 1122 |
CKV_K8S_92 |
resource |
containers |
Ensure that the –audit-log-maxage argument is set to 30 or as appropriate |
Kubernetes |
| 1123 |
CKV_K8S_93 |
resource |
containers |
Ensure that the –audit-log-maxbackup argument is set to 10 or as appropriate |
Kubernetes |
| 1124 |
CKV_K8S_94 |
resource |
containers |
Ensure that the –audit-log-maxsize argument is set to 100 or as appropriate |
Kubernetes |
| 1125 |
CKV_K8S_95 |
resource |
containers |
Ensure that the –request-timeout argument is set as appropriate |
Kubernetes |
| 1126 |
CKV_K8S_96 |
resource |
containers |
Ensure that the –service-account-lookup argument is set to true |
Kubernetes |
| 1127 |
CKV_K8S_97 |
resource |
containers |
Ensure that the –service-account-key-file argument is set as appropriate |
Kubernetes |
| 1128 |
CKV_K8S_99 |
resource |
containers |
Ensure that the –etcd-certfile and –etcd-keyfile arguments are set as appropriate |
Kubernetes |
| 1129 |
CKV_K8S_100 |
resource |
containers |
Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate |
Kubernetes |
| 1130 |
CKV_K8S_102 |
resource |
containers |
Ensure that the –etcd-ca-file argument is set as appropriate |
Kubernetes |
| 1131 |
CKV_K8S_104 |
resource |
containers |
Ensure that encryption providers are appropriately configured |
Kubernetes |
| 1132 |
CKV_K8S_105 |
resource |
containers |
Ensure that the API Server only makes use of Strong Cryptographic Ciphers |
Kubernetes |
| 1133 |
CKV_K8S_106 |
resource |
containers |
Ensure that the –terminated-pod-gc-threshold argument is set as appropriate |
Kubernetes |
| 1134 |
CKV_K8S_107 |
resource |
containers |
Ensure that the –profiling argument is set to false |
Kubernetes |
| 1135 |
CKV_K8S_108 |
resource |
containers |
Ensure that the –use-service-account-credentials argument is set to true |
Kubernetes |
| 1136 |
CKV_K8S_110 |
resource |
containers |
Ensure that the –service-account-private-key-file argument is set as appropriate |
Kubernetes |
| 1137 |
CKV_K8S_111 |
resource |
containers |
Ensure that the –root-ca-file argument is set as appropriate |
Kubernetes |
| 1138 |
CKV_K8S_112 |
resource |
containers |
Ensure that the RotateKubeletServerCertificate argument is set to true |
Kubernetes |
| 1139 |
CKV_K8S_113 |
resource |
containers |
Ensure that the –bind-address argument is set to 127.0.0.1 |
Kubernetes |
| 1140 |
CKV_K8S_114 |
resource |
containers |
Ensure that the –profiling argument is set to false |
Kubernetes |
| 1141 |
CKV_K8S_115 |
resource |
containers |
Ensure that the –bind-address argument is set to 127.0.0.1 |
Kubernetes |
| 1142 |
CKV_K8S_116 |
resource |
containers |
Ensure that the –cert-file and –key-file arguments are set as appropriate |
Kubernetes |
| 1143 |
CKV_K8S_117 |
resource |
containers |
Ensure that the –client-cert-auth argument is set to true |
Kubernetes |
| 1144 |
CKV_K8S_118 |
resource |
containers |
Ensure that the –auto-tls argument is not set to true |
Kubernetes |
| 1145 |
CKV_K8S_119 |
resource |
containers |
Ensure that the –peer-cert-file and –peer-key-file arguments are set as appropriate |
Kubernetes |
| 1146 |
CKV_K8S_121 |
resource |
Pod |
Ensure that the –peer-client-cert-auth argument is set to true |
Kubernetes |
| 1147 |
CKV_K8S_138 |
resource |
containers |
Ensure that the –anonymous-auth argument is set to false |
Kubernetes |
| 1148 |
CKV_K8S_139 |
resource |
containers |
Ensure that the –authorization-mode argument is not set to AlwaysAllow |
Kubernetes |
| 1149 |
CKV_K8S_140 |
resource |
containers |
Ensure that the –client-ca-file argument is set as appropriate |
Kubernetes |
| 1150 |
CKV_K8S_141 |
resource |
containers |
Ensure that the –read-only-port argument is set to 0 |
Kubernetes |
| 1151 |
CKV_K8S_143 |
resource |
containers |
Ensure that the –streaming-connection-idle-timeout argument is not set to 0 |
Kubernetes |
| 1152 |
CKV_K8S_144 |
resource |
containers |
Ensure that the –protect-kernel-defaults argument is set to true |
Kubernetes |
| 1153 |
CKV_K8S_145 |
resource |
containers |
Ensure that the –make-iptables-util-chains argument is set to true |
Kubernetes |
| 1154 |
CKV_K8S_146 |
resource |
containers |
Ensure that the –hostname-override argument is not set |
Kubernetes |
| 1155 |
CKV_K8S_147 |
resource |
containers |
Ensure that the –event-qps argument is set to 0 or a level which ensures appropriate event capture |
Kubernetes |
| 1156 |
CKV_K8S_148 |
resource |
containers |
Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate |
Kubernetes |
| 1157 |
CKV_K8S_149 |
resource |
containers |
Ensure that the –rotate-certificates argument is not set to false |
Kubernetes |
| 1158 |
CKV_K8S_150 |
resource |
containers |
Ensure that the RotateKubeletServerCertificate argument is set to true |
Kubernetes |
| 1159 |
CKV_K8S_151 |
resource |
containers |
Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers |
Kubernetes |
| 1160 |
CKV_LIN_1 |
provider |
linode |
Ensure no hard coded Linode tokens exist in provider |
Terraform |
| 1161 |
CKV_LIN_2 |
resource |
linode_instance |
Ensure SSH key set in authorized_keys |
Terraform |