| 0 |
CKV_AWS_2 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure ALB protocol is HTTPS |
Cloudformation |
ALBListenerHTTPS.py |
| 1 |
CKV_AWS_3 |
resource |
AWS::EC2::Volume |
Ensure all data stored in the EBS is securely encrypted |
Cloudformation |
EBSEncryption.py |
| 2 |
CKV_AWS_5 |
resource |
AWS::Elasticsearch::Domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Cloudformation |
ElasticsearchEncryption.py |
| 3 |
CKV_AWS_6 |
resource |
AWS::Elasticsearch::Domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Cloudformation |
ElasticsearchNodeToNodeEncryption.py |
| 4 |
CKV_AWS_7 |
resource |
AWS::KMS::Key |
Ensure rotation for customer created CMKs is enabled |
Cloudformation |
KMSRotation.py |
| 5 |
CKV_AWS_8 |
resource |
AWS::AutoScaling::LaunchConfiguration |
Ensure all data stored in the Launch configuration EBS is securely encrypted |
Cloudformation |
LaunchConfigurationEBSEncryption.py |
| 6 |
CKV_AWS_16 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in the RDS is securely encrypted at rest |
Cloudformation |
RDSEncryption.py |
| 7 |
CKV_AWS_17 |
resource |
AWS::RDS::DBInstance |
Ensure all data stored in RDS is not publicly accessible |
Cloudformation |
RDSPubliclyAccessible.py |
| 8 |
CKV_AWS_18 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has access logging enabled |
Cloudformation |
S3AccessLogs.py |
| 9 |
CKV_AWS_19 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has server-side-encryption enabled |
Cloudformation |
S3Encryption.py |
| 10 |
CKV_AWS_20 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow READ permissions to everyone |
Cloudformation |
S3PublicACLRead.py |
| 11 |
CKV_AWS_21 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket has versioning enabled |
Cloudformation |
S3Versioning.py |
| 12 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroup |
Ensure every security groups rule has a description |
Cloudformation |
SecurityGroupRuleDescription.py |
| 13 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupEgress |
Ensure every security groups rule has a description |
Cloudformation |
SecurityGroupRuleDescription.py |
| 14 |
CKV_AWS_23 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure every security groups rule has a description |
Cloudformation |
SecurityGroupRuleDescription.py |
| 15 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
SecurityGroupUnrestrictedIngress22.py |
| 16 |
CKV_AWS_24 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Cloudformation |
SecurityGroupUnrestrictedIngress22.py |
| 17 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
SecurityGroupUnrestrictedIngress3389.py |
| 18 |
CKV_AWS_25 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Cloudformation |
SecurityGroupUnrestrictedIngress3389.py |
| 19 |
CKV_AWS_26 |
resource |
AWS::SNS::Topic |
Ensure all data stored in the SNS topic is encrypted |
Cloudformation |
SNSTopicEncryption.py |
| 20 |
CKV_AWS_27 |
resource |
AWS::SQS::Queue |
Ensure all data stored in the SQS queue is encrypted |
Cloudformation |
SQSQueueEncryption.py |
| 21 |
CKV_AWS_28 |
resource |
AWS::DynamoDB::Table |
Ensure DynamoDB point in time recovery (backup) is enabled |
Cloudformation |
DynamodbRecovery.py |
| 22 |
CKV_AWS_29 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest |
Cloudformation |
ElasticacheReplicationGroupEncryptionAtRest.py |
| 23 |
CKV_AWS_30 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit |
Cloudformation |
ElasticacheReplicationGroupEncryptionAtTransit.py |
| 24 |
CKV_AWS_31 |
resource |
AWS::ElastiCache::ReplicationGroup |
Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token |
Cloudformation |
ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py |
| 25 |
CKV_AWS_32 |
resource |
AWS::ECR::Repository |
Ensure ECR policy is not set to public |
Cloudformation |
ECRPolicy.py |
| 26 |
CKV_AWS_33 |
resource |
AWS::KMS::Key |
Ensure KMS key policy does not contain wildcard (*) principal |
Cloudformation |
KMSKeyWildCardPrincipal.py |
| 27 |
CKV_AWS_34 |
resource |
AWS::CloudFront::Distribution |
Ensure CloudFront Distribution ViewerProtocolPolicy is set to HTTPS |
Cloudformation |
CloudfrontDistributionEncryption.py |
| 28 |
CKV_AWS_35 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Cloudformation |
CloudtrailEncryption.py |
| 29 |
CKV_AWS_36 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail log file validation is enabled |
Cloudformation |
CloudtrailLogValidation.py |
| 30 |
CKV_AWS_40 |
resource |
AWS::IAM::Policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Cloudformation |
IAMPolicyAttachedToGroupOrRoles.py |
| 31 |
CKV_AWS_42 |
resource |
AWS::EFS::FileSystem |
Ensure EFS is securely encrypted |
Cloudformation |
EFSEncryptionEnabled.py |
| 32 |
CKV_AWS_43 |
resource |
AWS::Kinesis::Stream |
Ensure Kinesis Stream is securely encrypted |
Cloudformation |
KinesisStreamEncryptionType.py |
| 33 |
CKV_AWS_44 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune storage is securely encrypted |
Cloudformation |
NeptuneClusterStorageEncrypted.py |
| 34 |
CKV_AWS_45 |
resource |
AWS::Lambda::Function |
Ensure no hard-coded secrets exist in Lambda environment |
Cloudformation |
LambdaEnvironmentCredentials.py |
| 35 |
CKV_AWS_45 |
resource |
AWS::Serverless::Function |
Ensure no hard-coded secrets exist in Lambda environment |
Cloudformation |
LambdaEnvironmentCredentials.py |
| 36 |
CKV_AWS_46 |
resource |
AWS::EC2::Instance |
Ensure no hard-coded secrets exist in EC2 user data |
Cloudformation |
EC2Credentials.py |
| 37 |
CKV_AWS_47 |
resource |
AWS::DAX::Cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Cloudformation |
DAXEncryption.py |
| 38 |
CKV_AWS_51 |
resource |
AWS::ECR::Repository |
Ensure ECR Image Tags are immutable |
Cloudformation |
ECRImmutableTags.py |
| 39 |
CKV_AWS_53 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public ACLs enabled |
Cloudformation |
S3BlockPublicACLs.py |
| 40 |
CKV_AWS_54 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has block public policy enabled |
Cloudformation |
S3BlockPublicPolicy.py |
| 41 |
CKV_AWS_55 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has ignore public ACLs enabled |
Cloudformation |
S3IgnorePublicACLs.py |
| 42 |
CKV_AWS_56 |
resource |
AWS::S3::Bucket |
Ensure S3 bucket has RestrictPublicBuckets enabled |
Cloudformation |
S3RestrictPublicBuckets.py |
| 43 |
CKV_AWS_57 |
resource |
AWS::S3::Bucket |
Ensure the S3 bucket does not allow WRITE permissions to everyone |
Cloudformation |
S3PublicACLWrite.py |
| 44 |
CKV_AWS_58 |
resource |
AWS::EKS::Cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Cloudformation |
EKSSecretsEncryption.py |
| 45 |
CKV_AWS_59 |
resource |
AWS::ApiGateway::Method |
Ensure there is no open access to back-end resources through API |
Cloudformation |
APIGatewayAuthorization.py |
| 46 |
CKV_AWS_60 |
resource |
AWS::IAM::Role |
Ensure IAM role allows only specific services or principals to assume it |
Cloudformation |
IAMRoleAllowsPublicAssume.py |
| 47 |
CKV_AWS_61 |
resource |
AWS::IAM::Role |
Ensure AWS IAM policy does not allow assume role permission across all services |
Cloudformation |
IAMRoleAllowAssumeFromAccount.py |
| 48 |
CKV_AWS_62 |
resource |
AWS::IAM::Group |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
| 49 |
CKV_AWS_62 |
resource |
AWS::IAM::Policy |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
| 50 |
CKV_AWS_62 |
resource |
AWS::IAM::Role |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
| 51 |
CKV_AWS_62 |
resource |
AWS::IAM::User |
Ensure no IAM policies that allow full “-” administrative privileges are not created |
Cloudformation |
IAMAdminPolicyDocument.py |
| 52 |
CKV_AWS_63 |
resource |
AWS::IAM::Group |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
| 53 |
CKV_AWS_63 |
resource |
AWS::IAM::Policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
| 54 |
CKV_AWS_63 |
resource |
AWS::IAM::Role |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
| 55 |
CKV_AWS_63 |
resource |
AWS::IAM::User |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Cloudformation |
IAMStarActionPolicyDocument.py |
| 56 |
CKV_AWS_64 |
resource |
AWS::Redshift::Cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Cloudformation |
RedshiftClusterEncryption.py |
| 57 |
CKV_AWS_65 |
resource |
AWS::ECS::Cluster |
Ensure container insights are enabled on ECS cluster |
Cloudformation |
ECSClusterContainerInsights.py |
| 58 |
CKV_AWS_66 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group specifies retention days |
Cloudformation |
CloudWatchLogGroupRetention.py |
| 59 |
CKV_AWS_67 |
resource |
AWS::CloudTrail::Trail |
Ensure CloudTrail is enabled in all Regions |
Cloudformation |
CloudtrailMultiRegion.py |
| 60 |
CKV_AWS_68 |
resource |
AWS::CloudFront::Distribution |
CloudFront Distribution should have WAF enabled |
Cloudformation |
WAFEnabled.py |
| 61 |
CKV_AWS_69 |
resource |
AWS::AmazonMQ::Broker |
Ensure Amazon MQ Broker should not have public access |
Cloudformation |
AmazonMQBrokerPublicAccess.py |
| 62 |
CKV_AWS_71 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift Cluster logging is enabled |
Cloudformation |
RedshiftClusterLogging.py |
| 63 |
CKV_AWS_73 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
APIGatewayXray.py |
| 64 |
CKV_AWS_73 |
resource |
AWS::Serverless::Api |
Ensure API Gateway has X-Ray Tracing enabled |
Cloudformation |
APIGatewayXray.py |
| 65 |
CKV_AWS_74 |
resource |
AWS::DocDB::DBCluster |
Ensure DocumentDB is encrypted at rest (default is unencrypted) |
Cloudformation |
DocDBEncryption.py |
| 66 |
CKV_AWS_76 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
APIGatewayAccessLogging.py |
| 67 |
CKV_AWS_76 |
resource |
AWS::Serverless::Api |
Ensure API Gateway has Access Logging enabled |
Cloudformation |
APIGatewayAccessLogging.py |
| 68 |
CKV_AWS_78 |
resource |
AWS::CodeBuild::Project |
Ensure that CodeBuild Project encryption is not disabled |
Cloudformation |
CodeBuildProjectEncryption.py |
| 69 |
CKV_AWS_79 |
resource |
AWS::EC2::LaunchTemplate |
Ensure Instance Metadata Service Version 1 is not enabled |
Cloudformation |
IMDSv1Disabled.py |
| 70 |
CKV_AWS_80 |
resource |
AWS::MSK::Cluster |
Ensure MSK Cluster logging is enabled |
Cloudformation |
MSKClusterLogging.py |
| 71 |
CKV_AWS_81 |
resource |
AWS::MSK::Cluster |
Ensure MSK Cluster encryption in rest and transit is enabled |
Cloudformation |
MSKClusterEncryption.py |
| 72 |
CKV_AWS_82 |
resource |
AWS::Athena::WorkGroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Cloudformation |
AthenaWorkgroupConfiguration.py |
| 73 |
CKV_AWS_83 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain enforces HTTPS |
Cloudformation |
ElasticsearchDomainEnforceHTTPS.py |
| 74 |
CKV_AWS_84 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain Logging is enabled |
Cloudformation |
ElasticsearchDomainLogging.py |
| 75 |
CKV_AWS_84 |
resource |
AWS::OpenSearchService::Domain |
Ensure Elasticsearch Domain Logging is enabled |
Cloudformation |
ElasticsearchDomainLogging.py |
| 76 |
CKV_AWS_85 |
resource |
AWS::DocDB::DBCluster |
Ensure DocumentDB Logging is enabled |
Cloudformation |
DocDBLogging.py |
| 77 |
CKV_AWS_86 |
resource |
AWS::CloudFront::Distribution |
Ensure CloudFront Distribution has Access Logging enabled |
Cloudformation |
CloudfrontDistributionLogging.py |
| 78 |
CKV_AWS_87 |
resource |
AWS::Redshift::Cluster |
Redshift cluster should not be publicly accessible |
Cloudformation |
RedshiftClusterPubliclyAccessible.py |
| 79 |
CKV_AWS_88 |
resource |
AWS::EC2::Instance |
EC2 instance should not have public IP. |
Cloudformation |
EC2PublicIP.py |
| 80 |
CKV_AWS_88 |
resource |
AWS::EC2::LaunchTemplate |
EC2 instance should not have public IP. |
Cloudformation |
EC2PublicIP.py |
| 81 |
CKV_AWS_89 |
resource |
AWS::DMS::ReplicationInstance |
DMS replication instance should not be publicly accessible |
Cloudformation |
DMSReplicationInstancePubliclyAccessible.py |
| 82 |
CKV_AWS_90 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocumentDB TLS is not disabled |
Cloudformation |
DocDBTLS.py |
| 83 |
CKV_AWS_91 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Cloudformation |
ELBv2AccessLogs.py |
| 84 |
CKV_AWS_92 |
resource |
AWS::ElasticLoadBalancing::LoadBalancer |
Ensure the ELB has access logging enabled |
Cloudformation |
ELBAccessLogs.py |
| 85 |
CKV_AWS_94 |
resource |
AWS::Glue::DataCatalogEncryptionSettings |
Ensure Glue Data Catalog Encryption is enabled |
Cloudformation |
GlueDataCatalogEncryption.py |
| 86 |
CKV_AWS_95 |
resource |
AWS::ApiGatewayV2::Stage |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
APIGatewayV2AccessLogging.py |
| 87 |
CKV_AWS_95 |
resource |
AWS::Serverless::HttpApi |
Ensure API Gateway V2 has Access Logging enabled |
Cloudformation |
APIGatewayV2AccessLogging.py |
| 88 |
CKV_AWS_96 |
resource |
AWS::RDS::DBCluster |
Ensure all data stored in Aurora is securely encrypted at rest |
Cloudformation |
AuroraEncryption.py |
| 89 |
CKV_AWS_97 |
resource |
AWS::ECS::TaskDefinition |
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions |
Cloudformation |
ECSTaskDefinitionEFSVolumeEncryption.py |
| 90 |
CKV_AWS_99 |
resource |
AWS::Glue::SecurityConfiguration |
Ensure Glue Security Configuration Encryption is enabled |
Cloudformation |
GlueSecurityConfiguration.py |
| 91 |
CKV_AWS_100 |
resource |
AWS::EKS::Nodegroup |
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 |
Cloudformation |
EKSNodeGroupRemoteAccess.py |
| 92 |
CKV_AWS_101 |
resource |
AWS::Neptune::DBCluster |
Ensure Neptune logging is enabled |
Cloudformation |
NeptuneClusterLogging.py |
| 93 |
CKV_AWS_103 |
resource |
AWS::ElasticLoadBalancingV2::Listener |
Ensure that Load Balancer Listener is using at least TLS v1.2 |
Cloudformation |
ALBListenerTLS12.py |
| 94 |
CKV_AWS_104 |
resource |
AWS::DocDB::DBClusterParameterGroup |
Ensure DocumentDB has audit logs enabled |
Cloudformation |
DocDBAuditLogs.py |
| 95 |
CKV_AWS_105 |
resource |
AWS::Redshift::ClusterParameterGroup |
Ensure Redshift uses SSL |
Cloudformation |
RedShiftSSL.py |
| 96 |
CKV_AWS_107 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
| 97 |
CKV_AWS_107 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
| 98 |
CKV_AWS_107 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
| 99 |
CKV_AWS_107 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
| 100 |
CKV_AWS_107 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow credentials exposure |
Cloudformation |
IAMCredentialsExposure.py |
| 101 |
CKV_AWS_108 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
| 102 |
CKV_AWS_108 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
| 103 |
CKV_AWS_108 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
| 104 |
CKV_AWS_108 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
| 105 |
CKV_AWS_108 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow data exfiltration |
Cloudformation |
IAMDataExfiltration.py |
| 106 |
CKV_AWS_109 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
| 107 |
CKV_AWS_109 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
| 108 |
CKV_AWS_109 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
| 109 |
CKV_AWS_109 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
| 110 |
CKV_AWS_109 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow permissions management without constraints |
Cloudformation |
IAMPermissionsManagement.py |
| 111 |
CKV_AWS_110 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
| 112 |
CKV_AWS_110 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
| 113 |
CKV_AWS_110 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
| 114 |
CKV_AWS_110 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
| 115 |
CKV_AWS_110 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow privilege escalation |
Cloudformation |
IAMPrivilegeEscalation.py |
| 116 |
CKV_AWS_111 |
resource |
AWS::IAM::Group |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
| 117 |
CKV_AWS_111 |
resource |
AWS::IAM::ManagedPolicy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
| 118 |
CKV_AWS_111 |
resource |
AWS::IAM::Policy |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
| 119 |
CKV_AWS_111 |
resource |
AWS::IAM::Role |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
| 120 |
CKV_AWS_111 |
resource |
AWS::IAM::User |
Ensure IAM policies does not allow write access without constraints |
Cloudformation |
IAMWriteAccess.py |
| 121 |
CKV_AWS_115 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Cloudformation |
LambdaFunctionLevelConcurrentExecutionLimit.py |
| 122 |
CKV_AWS_115 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Cloudformation |
LambdaFunctionLevelConcurrentExecutionLimit.py |
| 123 |
CKV_AWS_116 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Cloudformation |
LambdaDLQConfigured.py |
| 124 |
CKV_AWS_116 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Cloudformation |
LambdaDLQConfigured.py |
| 125 |
CKV_AWS_117 |
resource |
AWS::Lambda::Function |
Ensure that AWS Lambda function is configured inside a VPC |
Cloudformation |
LambdaInVPC.py |
| 126 |
CKV_AWS_117 |
resource |
AWS::Serverless::Function |
Ensure that AWS Lambda function is configured inside a VPC |
Cloudformation |
LambdaInVPC.py |
| 127 |
CKV_AWS_118 |
resource |
AWS::RDS::DBInstance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Cloudformation |
RDSEnhancedMonitorEnabled.py |
| 128 |
CKV_AWS_119 |
resource |
AWS::DynamoDB::Table |
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK |
Cloudformation |
DynamoDBTablesEncrypted.py |
| 129 |
CKV_AWS_120 |
resource |
AWS::ApiGateway::Stage |
Ensure API Gateway caching is enabled |
Cloudformation |
APIGatewayCacheEnable.py |
| 130 |
CKV_AWS_120 |
resource |
AWS::Serverless::Api |
Ensure API Gateway caching is enabled |
Cloudformation |
APIGatewayCacheEnable.py |
| 131 |
CKV_AWS_123 |
resource |
AWS::EC2::VPCEndpointService |
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Cloudformation |
VPCEndpointAcceptanceConfigured.py |
| 132 |
CKV_AWS_131 |
resource |
AWS::ElasticLoadBalancingV2::LoadBalancer |
Ensure that ALB drops HTTP headers |
Cloudformation |
ALBDropHttpHeaders.py |
| 133 |
CKV_AWS_136 |
resource |
AWS::ECR::Repository |
Ensure that ECR repositories are encrypted using KMS |
Cloudformation |
ECRRepositoryEncrypted.py |
| 134 |
CKV_AWS_149 |
resource |
AWS::SecretsManager::Secret |
Ensure that Secrets Manager secret is encrypted using KMS CMK |
Cloudformation |
SecretManagerSecretEncrypted.py |
| 135 |
CKV_AWS_154 |
resource |
AWS::Redshift::Cluster |
Ensure Redshift is not deployed outside of a VPC |
Cloudformation |
RedshiftInEc2ClassicMode.py |
| 136 |
CKV_AWS_155 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace user volumes are encrypted |
Cloudformation |
WorkspaceUserVolumeEncrypted.py |
| 137 |
CKV_AWS_156 |
resource |
AWS::WorkSpaces::Workspace |
Ensure that Workspace root volumes are encrypted |
Cloudformation |
WorkspaceRootVolumeEncrypted.py |
| 138 |
CKV_AWS_157 |
resource |
AWS::RDS::DBInstance |
Ensure that RDS instances have Multi-AZ enabled |
Cloudformation |
RDSMultiAZEnabled.py |
| 139 |
CKV_AWS_158 |
resource |
AWS::Logs::LogGroup |
Ensure that CloudWatch Log Group is encrypted by KMS |
Cloudformation |
CloudWatchLogGroupKMSKey.py |
| 140 |
CKV_AWS_160 |
resource |
AWS::Timestream::Database |
Ensure that Timestream database is encrypted with KMS CMK |
Cloudformation |
TimestreamDatabaseKMSKey.py |
| 141 |
CKV_AWS_161 |
resource |
AWS::RDS::DBInstance |
Ensure RDS database has IAM authentication enabled |
Cloudformation |
RDSIAMAuthentication.py |
| 142 |
CKV_AWS_162 |
resource |
AWS::RDS::DBCluster |
Ensure RDS cluster has IAM authentication enabled |
Cloudformation |
RDSClusterIAMAuthentication.py |
| 143 |
CKV_AWS_163 |
resource |
AWS::ECR::Repository |
Ensure ECR image scanning on push is enabled |
Cloudformation |
ECRImageScanning.py |
| 144 |
CKV_AWS_164 |
resource |
AWS::Transfer::Server |
Ensure Transfer Server is not exposed publicly. |
Cloudformation |
TransferServerIsPublic.py |
| 145 |
CKV_AWS_165 |
resource |
AWS::DynamoDB::GlobalTable |
Ensure DynamoDB global table point in time recovery (backup) is enabled |
Cloudformation |
DynamodbGlobalTableRecovery.py |
| 146 |
CKV_AWS_166 |
resource |
AWS::Backup::BackupVault |
Ensure Backup Vault is encrypted at rest using KMS CMK |
Cloudformation |
BackupVaultEncrypted.py |
| 147 |
CKV_AWS_170 |
resource |
AWS::QLDB::Ledger |
Ensure QLDB ledger permissions mode is set to STANDARD |
Cloudformation |
QLDBLedgerPermissionsMode.py |
| 148 |
CKV_AWS_172 |
resource |
AWS::QLDB::Ledger |
Ensure QLDB ledger has deletion protection enabled |
Cloudformation |
QLDBLedgerDeletionProtection.py |
| 149 |
CKV_AWS_173 |
resource |
AWS::Lambda::Function |
Check encryption settings for Lambda environment variable |
Cloudformation |
LambdaEnvironmentEncryptionSettings.py |
| 150 |
CKV_AWS_173 |
resource |
AWS::Serverless::Function |
Check encryption settings for Lambda environment variable |
Cloudformation |
LambdaEnvironmentEncryptionSettings.py |
| 151 |
CKV_AWS_174 |
resource |
AWS::CloudFront::Distribution |
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 |
Cloudformation |
CloudFrontTLS12.py |
| 152 |
CKV_AWS_187 |
resource |
AWS::SageMaker::Domain |
Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) |
Cloudformation |
SagemakerNotebookEncryptedWithCMK.py |
| 153 |
CKV_AWS_187 |
resource |
AWS::SageMaker::NotebookInstance |
Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) |
Cloudformation |
SagemakerNotebookEncryptedWithCMK.py |
| 154 |
CKV_AWS_192 |
resource |
AWS::WAFv2::WebACL |
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Cloudformation |
WAFACLCVE202144228.py |
| 155 |
CKV_AWS_193 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync has Logging enabled |
Cloudformation |
AppSyncLogging.py |
| 156 |
CKV_AWS_194 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync has Field-Level logs enabled |
Cloudformation |
AppSyncFieldLevelLogs.py |
| 157 |
CKV_AWS_195 |
resource |
AWS::Glue::Crawler |
Ensure Glue component has a security configuration associated |
Cloudformation |
GlueSecurityConfigurationEnabled.py |
| 158 |
CKV_AWS_195 |
resource |
AWS::Glue::DevEndpoint |
Ensure Glue component has a security configuration associated |
Cloudformation |
GlueSecurityConfigurationEnabled.py |
| 159 |
CKV_AWS_195 |
resource |
AWS::Glue::Job |
Ensure Glue component has a security configuration associated |
Cloudformation |
GlueSecurityConfigurationEnabled.py |
| 160 |
CKV_AWS_197 |
resource |
AWS::AmazonMQ::Broker |
Ensure MQ Broker Audit logging is enabled |
Cloudformation |
MQBrokerAuditLogging.py |
| 161 |
CKV_AWS_258 |
resource |
AWS::Lambda::Url |
Ensure that Lambda function URLs AuthType is not None |
Cloudformation |
LambdaFunctionURLAuth.py |
| 162 |
CKV_AWS_260 |
resource |
AWS::EC2::SecurityGroup |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Cloudformation |
SecurityGroupUnrestrictedIngress80.py |
| 163 |
CKV_AWS_260 |
resource |
AWS::EC2::SecurityGroupIngress |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Cloudformation |
SecurityGroupUnrestrictedIngress80.py |
| 164 |
CKV_AWS_291 |
resource |
AWS::MSK::Cluster |
Ensure MSK nodes are private |
Cloudformation |
MSKClusterNodesArePrivate.py |
| 165 |
CKV_AWS_317 |
resource |
AWS::Elasticsearch::Domain |
Ensure Elasticsearch Domain Audit Logging is enabled |
Cloudformation |
ElasticsearchDomainAuditLogging.py |
| 166 |
CKV_AWS_317 |
resource |
AWS::OpenSearchService::Domain |
Ensure Elasticsearch Domain Audit Logging is enabled |
Cloudformation |
ElasticsearchDomainAuditLogging.py |
| 167 |
CKV_AWS_360 |
resource |
AWS::DocDB::DBCluster |
Ensure DocumentDB has an adequate backup retention period |
Cloudformation |
DocDBBackupRetention.py |
| 168 |
CKV_AWS_361 |
resource |
AWS::Neptune::DBCluster |
Ensure that Neptune DB cluster has automated backups enabled with adequate retention |
Cloudformation |
NeptuneClusterBackupRetention.py |
| 169 |
CKV_AWS_363 |
resource |
AWS::Lambda::Function |
Ensure Lambda Runtime is not deprecated |
Cloudformation |
DeprecatedLambdaRuntime.py |
| 170 |
CKV_AWS_363 |
resource |
AWS::Serverless::Function |
Ensure Lambda Runtime is not deprecated |
Cloudformation |
DeprecatedLambdaRuntime.py |
| 171 |
CKV_AWS_364 |
resource |
AWS::Lambda::Permission |
Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount |
Cloudformation |
LambdaServicePermission.py |
| 172 |
CKV_AWS_366 |
resource |
AWS::Cognito::IdentityPool |
Ensure AWS Cognito identity pool does not allow unauthenticated guest access |
Cloudformation |
CognitoUnauthenticatedIdentities.py |
| 173 |
CKV_AWS_367 |
resource |
AWS::SageMaker::DataQualityJobDefinition |
Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts |
Cloudformation |
SagemakerDataQualityJobDefinitionEncryption.py |
| 174 |
CKV_AWS_368 |
resource |
AWS::SageMaker::DataQualityJobDefinition |
Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume |
Cloudformation |
SagemakerDataQualityJobDefinitionVolumeEncryption.py |
| 175 |
CKV_AWS_369 |
resource |
AWS::SageMaker::DataQualityJobDefinition |
Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs |
Cloudformation |
SagemakerDataQualityJobDefinitionTrafficEncryption.py |
| 176 |
CKV_AWS_370 |
resource |
AWS::SageMaker::Model |
Ensure Amazon SageMaker model uses network isolation |
Cloudformation |
SagemakerModelWithNetworkIsolation.py |
| 177 |
CKV_AWS_371 |
resource |
AWS::SageMaker::NotebookInstance |
Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2 |
Cloudformation |
SagemakerNotebookInstanceAllowsIMDSv2.py |
| 178 |
CKV_AWS_373 |
resource |
AWS::Bedrock::Agent |
Ensure Bedrock Agent is encrypted with a CMK |
Cloudformation |
BedrockAgentEncrypted.py |
| 179 |
CKV_AWS_384 |
resource |
AWS::SSM::Parameter |
Ensure no hard-coded secrets exist in Parameter Store values |
Cloudformation |
ParameterStoreCredentials.py |
| 180 |
CKV2_AWS_33 |
resource |
AWS::AppSync::GraphQLApi |
Ensure AppSync is protected by WAF |
Cloudformation |
AppSyncProtectedByWAF.yaml |
| 181 |
CKV2_AWS_68 |
resource |
AWS::IAM::Role |
Ensure SageMaker notebook instance IAM policy is not overly permissive |
Cloudformation |
SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml |
| 182 |
CKV2_AWS_68 |
resource |
AWS::SageMaker::NotebookInstance |
Ensure SageMaker notebook instance IAM policy is not overly permissive |
Cloudformation |
SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml |
| 183 |
CKV2_AWS_69 |
resource |
AWS::RDS::DBInstance |
Ensure AWS RDS database instance configured with encryption in transit |
Cloudformation |
RDSEncryptionInTransit.yaml |
| 184 |
CKV2_AWS_69 |
resource |
AWS::RDS::DBParameterGroup |
Ensure AWS RDS database instance configured with encryption in transit |
Cloudformation |
RDSEncryptionInTransit.yaml |
| 185 |
CKV2_AWS_71 |
resource |
AWS::CertificateManager::Certificate |
Ensure AWS ACM Certificate domain name does not include wildcards |
Cloudformation |
ACMWildcardDomainName.yaml |
| 186 |
CKV2_AWS_72 |
resource |
AWS::CloudFront::Distribution |
Ensure AWS CloudFront origin protocol policy enforces HTTPS-only |
Cloudformation |
CloudfrontOriginNotHTTPSOnly.yaml |