| 0 |
CKV_AWS_2 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure ALB protocol is HTTPS |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py |
| 1 |
CKV_AWS_3 |
resource |
AWS::EC2::Volume |
Ensure all data stored in the EBS is securely encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/EBSEncryption.py |
| 2 |
CKV_AWS_5 |
resource |
AWS::Elasticsearch::Domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticsearchEncryption.py |
| 3 |
CKV_AWS_6 |
resource |
AWS::Elasticsearch::Domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py |
| 4 |
CKV_AWS_7 |
resource |
AWS::KMS::Key |
Ensure rotation for customer created CMKs is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/KMSRotation.py |
| 5 |
CKV_AWS_8 |
resource |
AWS::AutoScaling::LaunchConfiguration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LaunchConfigurationEBSEncryption.py |
| 6 |
CKV_AWS_16 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS is securely encrypted at rest |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RDSEncryption.py |
| 7 |
CKV_AWS_17 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in RDS is not publicly accessible |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RDSPubliclyAccessible.py |
| 8 |
CKV_AWS_18 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has access logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3AccessLogs.py |
| 9 |
CKV_AWS_19 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has server-side-encryption enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3Encryption.py |
| 10 |
CKV_AWS_20 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow READ permissions to everyone |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3PublicACLRead.py |
| 11 |
CKV_AWS_21 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has versioning enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3Versioning.py |
| 12 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroup |
Ensure every security groups rule has a description |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py |
| 13 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupEgress |
Ensure every security groups rule has a description |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py |
| 14 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure every security groups rule has a description |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py |
| 15 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py |
| 16 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py |
| 17 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py |
| 18 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py |
| 19 |
CKV_AWS_26 |
resource |
AWS::SNS::Topic |
Ensure all data stored in the SNS topic is encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SNSTopicEncryption.py |
| 20 |
CKV_AWS_27 |
resource |
AWS::SQS::Queue |
Ensure all data stored in the SQS queue is encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SQSQueueEncryption.py |
| 21 |
CKV_AWS_28 |
resource |
AWS::DynamoDB::Table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DynamodbRecovery.py |
| 22 |
CKV_AWS_29 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py |
| 23 |
CKV_AWS_30 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py |
| 24 |
CKV_AWS_31 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py |
| 25 |
CKV_AWS_32 |
resource |
AWS::ECR::Repository |
Ensure ECR policy is not set to public |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ECRPolicy.py |
| 26 |
CKV_AWS_33 |
resource |
AWS::KMS::Key |
Ensure KMS key policy does not contain wildcard (*) principal |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/KMSKeyWildCardPrincipal.py |
| 27 |
CKV_AWS_34 |
resource |
AWS::CloudFront::Distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionEncryption.py |
| 28 |
CKV_AWS_35 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudtrailEncryption.py |
| 29 |
CKV_AWS_36 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail log file validation is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudtrailLogValidation.py |
| 30 |
CKV_AWS_40 |
resource |
AWS::IAM::Policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py |
| 31 |
CKV_AWS_42 |
resource |
AWS::EFS::FileSystem |
Ensure EFS is securely encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/EFSEncryptionEnabled.py |
| 32 |
CKV_AWS_43 |
resource |
AWS::Kinesis::Stream |
Ensure Kinesis Stream is securely encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/KinesisStreamEncryptionType.py |
| 33 |
CKV_AWS_44 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune storage is securely encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/NeptuneClusterStorageEncrypted.py |
| 34 |
CKV_AWS_45 |
resource |
AWS::Lambda::Function |
Ensure no hard-coded secrets exist in lambda environment |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py |
| 35 |
CKV_AWS_45 |
resource |
AWS::Serverless::Function |
Ensure no hard-coded secrets exist in lambda environment |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py |
| 36 |
CKV_AWS_46 |
resource |
AWS::EC2::Instance |
Ensure no hard-coded secrets exist in EC2 user data |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/EC2Credentials.py |
| 37 |
CKV_AWS_47 |
resource |
AWS::DAX::Cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DAXEncryption.py |
| 38 |
CKV_AWS_51 |
resource |
AWS::ECR::Repository |
Ensure ECR Image Tags are immutable |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ECRImmutableTags.py |
| 39 |
CKV_AWS_53 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public ACLS enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3BlockPublicACLs.py |
| 40 |
CKV_AWS_54 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public policy enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3BlockPublicPolicy.py |
| 41 |
CKV_AWS_55 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ignore public ACLs enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3IgnorePublicACLs.py |
| 42 |
CKV_AWS_56 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ‘restrict_public_bucket’ enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3RestrictPublicBuckets.py |
| 43 |
CKV_AWS_57 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow WRITE permissions to everyone |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/S3PublicACLWrite.py |
| 44 |
CKV_AWS_58 |
resource |
AWS::EKS::Cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/EKSSecretsEncryption.py |
| 45 |
CKV_AWS_59 |
resource |
AWS::ApiGateway::Method |
Ensure there is no open access to back-end resources through API |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayAuthorization.py |
| 46 |
CKV_AWS_60 |
resource |
AWS::IAM::Role |
Ensure IAM role allows only specific services or principals to assume it |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMRoleAllowsPublicAssume.py |
| 47 |
CKV_AWS_61 |
resource |
AWS::IAM::Role |
Ensure AWS IAM policy does not allow assume role permission across all services |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py |
| 48 |
CKV_AWS_62 |
resource |
AWS::IAM::Group |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py |
| 49 |
CKV_AWS_62 |
resource |
AWS::IAM::Policy |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py |
| 50 |
CKV_AWS_62 |
resource |
AWS::IAM::Role |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py |
| 51 |
CKV_AWS_62 |
resource |
AWS::IAM::User |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py |
| 52 |
CKV_AWS_63 |
resource |
AWS::IAM::Group |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py |
| 53 |
CKV_AWS_63 |
resource |
AWS::IAM::Policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py |
| 54 |
CKV_AWS_63 |
resource |
AWS::IAM::Role |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py |
| 55 |
CKV_AWS_63 |
resource |
AWS::IAM::User |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py |
| 56 |
CKV_AWS_64 |
resource |
AWS::Redshift::Cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RedshiftClusterEncryption.py |
| 57 |
CKV_AWS_65 |
resource |
AWS::ECS::Cluster |
Ensure container insights are enabled on ECS cluster |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ECSClusterContainerInsights.py |
| 58 |
CKV_AWS_66 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group specifies retention days |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupRetention.py |
| 59 |
CKV_AWS_67 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail is enabled in all Regions |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudtrailMultiRegion.py |
| 60 |
CKV_AWS_68 |
resource |
AWS::CloudFront::Distribution |
CloudFront Distribution should have WAF enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/WAFEnabled.py |
| 61 |
CKV_AWS_69 |
resource |
AWS::AmazonMQ::Broker |
Ensure Amazon MQ Broker should not have public access |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/AmazonMQBrokerPublicAccess.py |
| 62 |
CKV_AWS_71 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift Cluster logging is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RedshiftClusterLogging.py |
| 63 |
CKV_AWS_73 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py |
| 64 |
CKV_AWS_73 |
resource |
AWS::Serverless::Api |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py |
| 65 |
CKV_AWS_74 |
resource |
AWS::DocDB::DBCluster |
Ensure DocDB is encrypted at rest (default is unencrypted) |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DocDBEncryption.py |
| 66 |
CKV_AWS_76 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py |
| 67 |
CKV_AWS_76 |
resource |
AWS::Serverless::Api |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py |
| 68 |
CKV_AWS_78 |
resource |
AWS::CodeBuild::Project |
Ensure that CodeBuild Project encryption is not disabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CodeBuildProjectEncryption.py |
| 69 |
CKV_AWS_79 |
resource |
AWS::EC2::LaunchTemplate |
Ensure Instance Metadata Service Version 1 is not enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py |
| 70 |
CKV_AWS_82 |
resource |
AWS::Athena::WorkGroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py |
| 71 |
CKV_AWS_83 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain enforces HTTPS |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py |
| 72 |
CKV_AWS_84 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain Logging is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py |
| 73 |
CKV_AWS_85 |
resource |
AWS::DocDB::DBCluster |
Ensure DocDB Logging is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DocDBLogging.py |
| 74 |
CKV_AWS_86 |
resource |
AWS::CloudFront::Distribution |
Ensure Cloudfront distribution has Access Logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py |
| 75 |
CKV_AWS_87 |
resource |
AWS::Redshift::Cluster |
Redshift cluster should not be publicly accessible |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py |
| 76 |
CKV_AWS_88 |
resource |
AWS::EC2::Instance |
EC2 instance should not have public IP. |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py |
| 77 |
CKV_AWS_88 |
resource |
AWS::EC2::LaunchTemplate |
EC2 instance should not have public IP. |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py |
| 78 |
CKV_AWS_89 |
resource |
AWS::DMS::ReplicationInstance |
DMS replication instance should not be publicly accessible |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py |
| 79 |
CKV_AWS_90 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocDB TLS is not disabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DocDBTLS.py |
| 80 |
CKV_AWS_91 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py |
| 81 |
CKV_AWS_92 |
resource |
AWS::ElasticLoadBalancing::LoadBalancer |
Ensure the ELB has access logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py |
| 82 |
CKV_AWS_94 |
resource |
AWS::Glue::DataCatalogEncryptionSettings |
Ensure Glue Data Catalog Encryption is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py |
| 83 |
CKV_AWS_95 |
resource |
AWS::ApiGatewayV2::Stage |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py |
| 84 |
CKV_AWS_95 |
resource |
AWS::Serverless::HttpApi |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py |
| 85 |
CKV_AWS_96 |
resource |
AWS::RDS::DBCluster |
Ensure all data stored in Aurora is securely encrypted at rest |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py |
| 86 |
CKV_AWS_97 |
resource |
AWS::ECS::TaskDefinition |
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py |
| 87 |
CKV_AWS_99 |
resource |
AWS::Glue::SecurityConfiguration |
Ensure Glue Security Configuration Encryption is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py |
| 88 |
CKV_AWS_100 |
resource |
AWS::EKS::Nodegroup |
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py |
| 89 |
CKV_AWS_101 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune logging is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py |
| 90 |
CKV_AWS_103 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure that Load Balancer Listener is using at least TLS v1.2 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py |
| 91 |
CKV_AWS_104 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocDB has audit logs enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py |
| 92 |
CKV_AWS_105 |
resource |
AWS::Redshift::ClusterParameterGroup |
Ensure Redshift uses SSL |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py |
| 93 |
CKV_AWS_107 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py |
| 94 |
CKV_AWS_107 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py |
| 95 |
CKV_AWS_107 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py |
| 96 |
CKV_AWS_107 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py |
| 97 |
CKV_AWS_107 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py |
| 98 |
CKV_AWS_108 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py |
| 99 |
CKV_AWS_108 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py |
| 100 |
CKV_AWS_108 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py |
| 101 |
CKV_AWS_108 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py |
| 102 |
CKV_AWS_108 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py |
| 103 |
CKV_AWS_109 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py |
| 104 |
CKV_AWS_109 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py |
| 105 |
CKV_AWS_109 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py |
| 106 |
CKV_AWS_109 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py |
| 107 |
CKV_AWS_109 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py |
| 108 |
CKV_AWS_110 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py |
| 109 |
CKV_AWS_110 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py |
| 110 |
CKV_AWS_110 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py |
| 111 |
CKV_AWS_110 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py |
| 112 |
CKV_AWS_110 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py |
| 113 |
CKV_AWS_111 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py |
| 114 |
CKV_AWS_111 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py |
| 115 |
CKV_AWS_111 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py |
| 116 |
CKV_AWS_111 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py |
| 117 |
CKV_AWS_111 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py |
| 118 |
CKV_AWS_115 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py |
| 119 |
CKV_AWS_115 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py |
| 120 |
CKV_AWS_116 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py |
| 121 |
CKV_AWS_116 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py |
| 122 |
CKV_AWS_117 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured inside a VPC |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py |
| 123 |
CKV_AWS_117 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured inside a VPC |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py |
| 124 |
CKV_AWS_118 |
resource |
AWS::RDS::DBInstance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py |
| 125 |
CKV_AWS_119 |
resource |
AWS::DynamoDB::Table |
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py |
| 126 |
CKV_AWS_120 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway caching is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py |
| 127 |
CKV_AWS_120 |
resource |
AWS::Serverless::Api |
Ensure API Gateway caching is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py |
| 128 |
CKV_AWS_123 |
resource |
AWS::EC2::VPCEndpointService |
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py |
| 129 |
CKV_AWS_131 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure that ALB drops HTTP headers |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py |
| 130 |
CKV_AWS_136 |
resource |
AWS::ECR::Repository |
Ensure that ECR repositories are encrypted using KMS |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py |
| 131 |
CKV_AWS_149 |
resource |
AWS::SecretsManager::Secret |
Ensure that Secrets Manager secret is encrypted using KMS CMK |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py |
| 132 |
CKV_AWS_154 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift is not deployed outside of a VPC |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py |
| 133 |
CKV_AWS_155 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace user volumes are encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py |
| 134 |
CKV_AWS_156 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace root volumes are encrypted |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py |
| 135 |
CKV_AWS_157 |
resource |
AWS::RDS::DBInstance |
Ensure that RDS instances have Multi-AZ enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py |
| 136 |
CKV_AWS_158 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group is encrypted by KMS |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py |
| 137 |
CKV_AWS_160 |
resource |
AWS::Timestream::Database |
Ensure that Timestream database is encrypted with KMS CMK |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py |
| 138 |
CKV_AWS_161 |
resource |
AWS::RDS::DBInstance |
Ensure RDS database has IAM authentication enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py |
| 139 |
CKV_AWS_162 |
resource |
AWS::RDS::DBCluster |
Ensure RDS cluster has IAM authentication enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py |
| 140 |
CKV_AWS_163 |
resource |
AWS::ECR::Repository |
Ensure ECR image scanning on push is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py |
| 141 |
CKV_AWS_164 |
resource |
AWS::Transfer::Server |
Ensure Transfer Server is not exposed publicly. |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py |
| 142 |
CKV_AWS_165 |
resource |
AWS::DynamoDB::GlobalTable |
Ensure Dynamodb global table point in time recovery (backup) is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py |
| 143 |
CKV_AWS_166 |
resource |
AWS::Backup::BackupVault |
Ensure Backup Vault is encrypted at rest using KMS CMK |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py |
| 144 |
CKV_AWS_170 |
resource |
AWS::QLDB::Ledger |
Ensure QLDB ledger permissions mode is set to STANDARD |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py |
| 145 |
CKV_AWS_172 |
resource |
AWS::QLDB::Ledger |
Ensure QLDB ledger has deletion protection enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py |
| 146 |
CKV_AWS_173 |
resource |
AWS::Lambda::Function |
Check encryption settings for Lambda environmental variable |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py |
| 147 |
CKV_AWS_173 |
resource |
AWS::Serverless::Function |
Check encryption settings for Lambda environmental variable |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py |
| 148 |
CKV_AWS_174 |
resource |
AWS::CloudFront::Distribution |
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py |
| 149 |
CKV_AWS_192 |
resource |
AWS::WAFv2::WebACL |
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py |
| 150 |
CKV_AWS_193 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync has Logging enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py |
| 151 |
CKV_AWS_194 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync has Field-Level logs enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py |
| 152 |
CKV_AWS_195 |
resource |
AWS::Glue::Crawler |
Ensure Glue component has a security configuration associated |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py |
| 153 |
CKV_AWS_195 |
resource |
AWS::Glue::DevEndpoint |
Ensure Glue component has a security configuration associated |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py |
| 154 |
CKV_AWS_195 |
resource |
AWS::Glue::Job |
Ensure Glue component has a security configuration associated |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py |
| 155 |
CKV_AWS_197 |
resource |
AWS::AmazonMQ::Broker |
Ensure MQ Broker Audit logging is enabled |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py |
| 156 |
CKV_AWS_258 |
resource |
AWS::Lambda::Url |
Ensure that Lambda function URLs AuthType is not None |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py |
| 157 |
CKV_AWS_260 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py |
| 158 |
CKV_AWS_260 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py |
| 159 |
CKV2_AWS_33 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync is protected by WAF |
Cloudformation |
https://github.com/bridgecrewio/checkov/tree/master/checkov/common/graph/checks_infra/base_check.py |