0 |
CKV2_ADO_1 |
resource |
azuredevops_branch_policy_min_reviewers |
Ensure at least two approving reviews for PRs |
Terraform |
1 |
CKV2_ADO_1 |
resource |
azuredevops_git_repository |
Ensure at least two approving reviews for PRs |
Terraform |
2 |
CKV_ALI_1 |
resource |
alicloud_oss_bucket |
Alibaba Cloud OSS bucket accessible to public |
Terraform |
3 |
CKV_ALI_2 |
resource |
alicloud_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
4 |
CKV_ALI_3 |
resource |
alicloud_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
5 |
CKV_ALI_4 |
resource |
alicloud_actiontrail_trail |
Ensure Action Trail Logging for all regions |
Terraform |
6 |
CKV_ALI_5 |
resource |
alicloud_actiontrail_trail |
Ensure Action Trail Logging for all events |
Terraform |
7 |
CKV_ALI_6 |
resource |
alicloud_oss_bucket |
Ensure OSS bucket is encrypted with Customer Master Key |
Terraform |
8 |
CKV_ALI_7 |
resource |
alicloud_disk |
Ensure disk is encrypted |
Terraform |
9 |
CKV_ALI_8 |
resource |
alicloud_disk |
Ensure Disk is encrypted with Customer Master Key |
Terraform |
10 |
CKV_ALI_9 |
resource |
alicloud_db_instance |
Ensure database instance is not public |
Terraform |
11 |
CKV_ALI_10 |
resource |
alicloud_oss_bucket |
Ensure OSS bucket has versioning enabled |
Terraform |
12 |
CKV_ALI_11 |
resource |
alicloud_oss_bucket |
Ensure OSS bucket has transfer Acceleration enabled |
Terraform |
13 |
CKV_ALI_12 |
resource |
alicloud_oss_bucket |
Ensure the OSS bucket has access logging enabled |
Terraform |
14 |
CKV_ALI_13 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires minimum length of 14 or greater |
Terraform |
15 |
CKV_ALI_14 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one number |
Terraform |
16 |
CKV_ALI_15 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one symbol |
Terraform |
17 |
CKV_ALI_16 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy expires passwords within 90 days or less |
Terraform |
18 |
CKV_ALI_17 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one lowercase letter |
Terraform |
19 |
CKV_ALI_18 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy prevents password reuse |
Terraform |
20 |
CKV_ALI_19 |
resource |
alicloud_ram_account_password_policy |
Ensure RAM password policy requires at least one uppercase letter |
Terraform |
21 |
CKV_ALI_20 |
resource |
alicloud_db_instance |
Ensure RDS instance uses SSL |
Terraform |
22 |
CKV_ALI_21 |
resource |
alicloud_api_gateway_api |
Ensure API Gateway API Protocol HTTPS |
Terraform |
23 |
CKV_ALI_22 |
resource |
alicloud_db_instance |
Ensure Transparent Data Encryption is Enabled on instance |
Terraform |
24 |
CKV_ALI_23 |
resource |
alicloud_ram_account_password_policy |
Ensure Ram Account Password Policy Max Login Attempts not > 5 |
Terraform |
25 |
CKV_ALI_24 |
resource |
alicloud_ram_account_password_policy |
Ensure Ram Account Password Policy Max Age less than/equal to 90 days |
Terraform |
26 |
CKV_ALI_25 |
resource |
alicloud_db_instance |
Ensure RDS Instance SQL Collector Retention Period should be greater than 180 |
Terraform |
27 |
CKV_ALI_26 |
resource |
alicloud_cs_kubernetes |
Ensure Kubernetes installs plugin Terway or Flannel to support standard policies |
Terraform |
28 |
CKV_AWS_1 |
data |
aws_iam_policy_document |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
29 |
CKV_AWS_2 |
resource |
aws_alb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
30 |
CKV_AWS_2 |
resource |
aws_lb_listener |
Ensure ALB protocol is HTTPS |
Terraform |
31 |
CKV_AWS_3 |
resource |
aws_ebs_volume |
Ensure all data stored in the EBS is securely encrypted |
Terraform |
32 |
CKV_AWS_5 |
resource |
aws_elasticsearch_domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Terraform |
33 |
CKV_AWS_5 |
resource |
aws_opensearch_domain |
Ensure all data stored in the Elasticsearch is securely encrypted at rest |
Terraform |
34 |
CKV_AWS_6 |
resource |
aws_elasticsearch_domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Terraform |
35 |
CKV_AWS_6 |
resource |
aws_opensearch_domain |
Ensure all Elasticsearch has node-to-node encryption enabled |
Terraform |
36 |
CKV_AWS_7 |
resource |
aws_kms_key |
Ensure rotation for customer created CMKs is enabled |
Terraform |
37 |
CKV_AWS_8 |
resource |
aws_instance |
Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted |
Terraform |
38 |
CKV_AWS_8 |
resource |
aws_launch_configuration |
Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted |
Terraform |
39 |
CKV_AWS_9 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy expires passwords within 90 days or less |
Terraform |
40 |
CKV_AWS_10 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires minimum length of 14 or greater |
Terraform |
41 |
CKV_AWS_11 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one lowercase letter |
Terraform |
42 |
CKV_AWS_12 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one number |
Terraform |
43 |
CKV_AWS_13 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy prevents password reuse |
Terraform |
44 |
CKV_AWS_14 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one symbol |
Terraform |
45 |
CKV_AWS_15 |
resource |
aws_iam_account_password_policy |
Ensure IAM password policy requires at least one uppercase letter |
Terraform |
46 |
CKV_AWS_16 |
resource |
aws_db_instance |
Ensure all data stored in the RDS is securely encrypted at rest |
Terraform |
47 |
CKV_AWS_17 |
resource |
aws_db_instance |
Ensure all data stored in RDS is not publicly accessible |
Terraform |
48 |
CKV_AWS_17 |
resource |
aws_rds_cluster_instance |
Ensure all data stored in RDS is not publicly accessible |
Terraform |
49 |
CKV_AWS_18 |
resource |
aws_s3_bucket |
Ensure the S3 bucket has access logging enabled |
Terraform |
50 |
CKV_AWS_19 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
Terraform |
51 |
CKV_AWS_19 |
resource |
aws_s3_bucket_server_side_encryption_configuration |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
Terraform |
52 |
CKV_AWS_20 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public READ access. |
Terraform |
53 |
CKV_AWS_20 |
resource |
aws_s3_bucket_acl |
S3 Bucket has an ACL defined which allows public READ access. |
Terraform |
54 |
CKV_AWS_21 |
resource |
aws_s3_bucket |
Ensure all data stored in the S3 bucket have versioning enabled |
Terraform |
55 |
CKV_AWS_21 |
resource |
aws_s3_bucket_versioning |
Ensure all data stored in the S3 bucket have versioning enabled |
Terraform |
56 |
CKV_AWS_22 |
resource |
aws_sagemaker_notebook_instance |
Ensure SageMaker Notebook is encrypted at rest using KMS CMK |
Terraform |
57 |
CKV_AWS_23 |
resource |
aws_db_security_group |
Ensure every security groups rule has a description |
Terraform |
58 |
CKV_AWS_23 |
resource |
aws_elasticache_security_group |
Ensure every security groups rule has a description |
Terraform |
59 |
CKV_AWS_23 |
resource |
aws_redshift_security_group |
Ensure every security groups rule has a description |
Terraform |
60 |
CKV_AWS_23 |
resource |
aws_security_group |
Ensure every security groups rule has a description |
Terraform |
61 |
CKV_AWS_23 |
resource |
aws_security_group_rule |
Ensure every security groups rule has a description |
Terraform |
62 |
CKV_AWS_24 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
63 |
CKV_AWS_24 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
64 |
CKV_AWS_25 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
65 |
CKV_AWS_25 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
66 |
CKV_AWS_26 |
resource |
aws_sns_topic |
Ensure all data stored in the SNS topic is encrypted |
Terraform |
67 |
CKV_AWS_27 |
resource |
aws_sqs_queue |
Ensure all data stored in the SQS queue is encrypted |
Terraform |
68 |
CKV_AWS_28 |
resource |
aws_dynamodb_table |
Ensure Dynamodb point in time recovery (backup) is enabled |
Terraform |
69 |
CKV_AWS_29 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest |
Terraform |
70 |
CKV_AWS_30 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit |
Terraform |
71 |
CKV_AWS_31 |
resource |
aws_elasticache_replication_group |
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token |
Terraform |
72 |
CKV_AWS_32 |
resource |
aws_ecr_repository_policy |
Ensure ECR policy is not set to public |
Terraform |
73 |
CKV_AWS_33 |
resource |
aws_kms_key |
Ensure KMS key policy does not contain wildcard (*) principal |
Terraform |
74 |
CKV_AWS_34 |
resource |
aws_cloudfront_distribution |
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS |
Terraform |
75 |
CKV_AWS_35 |
resource |
aws_cloudtrail |
Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
Terraform |
76 |
CKV_AWS_36 |
resource |
aws_cloudtrail |
Ensure CloudTrail log file validation is enabled |
Terraform |
77 |
CKV_AWS_37 |
resource |
aws_eks_cluster |
Ensure Amazon EKS control plane logging enabled for all log types |
Terraform |
78 |
CKV_AWS_38 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 |
Terraform |
79 |
CKV_AWS_39 |
resource |
aws_eks_cluster |
Ensure Amazon EKS public endpoint disabled |
Terraform |
80 |
CKV_AWS_40 |
resource |
aws_iam_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
81 |
CKV_AWS_40 |
resource |
aws_iam_user_policy |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
82 |
CKV_AWS_40 |
resource |
aws_iam_user_policy_attachment |
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
Terraform |
83 |
CKV_AWS_41 |
provider |
aws |
Ensure no hard coded AWS access key and secret key exists in provider |
Terraform |
84 |
CKV_AWS_42 |
resource |
aws_efs_file_system |
Ensure EFS is securely encrypted |
Terraform |
85 |
CKV_AWS_43 |
resource |
aws_kinesis_stream |
Ensure Kinesis Stream is securely encrypted |
Terraform |
86 |
CKV_AWS_44 |
resource |
aws_neptune_cluster |
Ensure Neptune storage is securely encrypted |
Terraform |
87 |
CKV_AWS_45 |
resource |
aws_lambda_function |
Ensure no hard-coded secrets exist in lambda environment |
Terraform |
88 |
CKV_AWS_46 |
resource |
aws_instance |
Ensure no hard-coded secrets exist in EC2 user data |
Terraform |
89 |
CKV_AWS_47 |
resource |
aws_dax_cluster |
Ensure DAX is encrypted at rest (default is unencrypted) |
Terraform |
90 |
CKV_AWS_48 |
resource |
aws_mq_broker |
Ensure MQ Broker logging is enabled |
Terraform |
91 |
CKV_AWS_49 |
data |
aws_iam_policy_document |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
92 |
CKV_AWS_50 |
resource |
aws_lambda_function |
X-ray tracing is enabled for Lambda |
Terraform |
93 |
CKV_AWS_51 |
resource |
aws_ecr_repository |
Ensure ECR Image Tags are immutable |
Terraform |
94 |
CKV_AWS_53 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public ACLS enabled |
Terraform |
95 |
CKV_AWS_54 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has block public policy enabled |
Terraform |
96 |
CKV_AWS_55 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ignore public ACLs enabled |
Terraform |
97 |
CKV_AWS_56 |
resource |
aws_s3_bucket_public_access_block |
Ensure S3 bucket has ‘restrict_public_bucket’ enabled |
Terraform |
98 |
CKV_AWS_57 |
resource |
aws_s3_bucket |
S3 Bucket has an ACL defined which allows public WRITE access. |
Terraform |
99 |
CKV_AWS_57 |
resource |
aws_s3_bucket_acl |
S3 Bucket has an ACL defined which allows public WRITE access. |
Terraform |
100 |
CKV_AWS_58 |
resource |
aws_eks_cluster |
Ensure EKS Cluster has Secrets Encryption Enabled |
Terraform |
101 |
CKV_AWS_59 |
resource |
aws_api_gateway_method |
Ensure there is no open access to back-end resources through API |
Terraform |
102 |
CKV_AWS_60 |
resource |
aws_iam_role |
Ensure IAM role allows only specific services or principals to assume it |
Terraform |
103 |
CKV_AWS_61 |
resource |
aws_iam_role |
Ensure AWS IAM policy does not allow assume role permission across all services |
Terraform |
104 |
CKV_AWS_62 |
resource |
aws_iam_group_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
105 |
CKV_AWS_62 |
resource |
aws_iam_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
106 |
CKV_AWS_62 |
resource |
aws_iam_role_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
107 |
CKV_AWS_62 |
resource |
aws_iam_user_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
108 |
CKV_AWS_62 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure IAM policies that allow full “-” administrative privileges are not created |
Terraform |
109 |
CKV_AWS_63 |
resource |
aws_iam_group_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
110 |
CKV_AWS_63 |
resource |
aws_iam_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
111 |
CKV_AWS_63 |
resource |
aws_iam_role_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
112 |
CKV_AWS_63 |
resource |
aws_iam_user_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
113 |
CKV_AWS_63 |
resource |
aws_ssoadmin_permission_set_inline_policy |
Ensure no IAM policies documents allow “*” as a statement’s actions |
Terraform |
114 |
CKV_AWS_64 |
resource |
aws_redshift_cluster |
Ensure all data stored in the Redshift cluster is securely encrypted at rest |
Terraform |
115 |
CKV_AWS_65 |
resource |
aws_ecs_cluster |
Ensure container insights are enabled on ECS cluster |
Terraform |
116 |
CKV_AWS_66 |
resource |
aws_cloudwatch_log_group |
Ensure that CloudWatch Log Group specifies retention days |
Terraform |
117 |
CKV_AWS_67 |
resource |
aws_cloudtrail |
Ensure CloudTrail is enabled in all Regions |
Terraform |
118 |
CKV_AWS_68 |
resource |
aws_cloudfront_distribution |
CloudFront Distribution should have WAF enabled |
Terraform |
119 |
CKV_AWS_69 |
resource |
aws_mq_broker |
Ensure MQ Broker is not publicly exposed |
Terraform |
120 |
CKV_AWS_70 |
resource |
aws_s3_bucket |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
121 |
CKV_AWS_70 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket does not allow an action with any Principal |
Terraform |
122 |
CKV_AWS_71 |
resource |
aws_redshift_cluster |
Ensure Redshift Cluster logging is enabled |
Terraform |
123 |
CKV_AWS_72 |
resource |
aws_sqs_queue_policy |
Ensure SQS policy does not allow ALL (*) actions. |
Terraform |
124 |
CKV_AWS_73 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has X-Ray Tracing enabled |
Terraform |
125 |
CKV_AWS_74 |
resource |
aws_docdb_cluster |
Ensure DocDB is encrypted at rest (default is unencrypted) |
Terraform |
126 |
CKV_AWS_75 |
resource |
aws_globalaccelerator_accelerator |
Ensure Global Accelerator accelerator has flow logs enabled |
Terraform |
127 |
CKV_AWS_76 |
resource |
aws_api_gateway_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
128 |
CKV_AWS_76 |
resource |
aws_apigatewayv2_stage |
Ensure API Gateway has Access Logging enabled |
Terraform |
129 |
CKV_AWS_77 |
resource |
aws_athena_database |
Ensure Athena Database is encrypted at rest (default is unencrypted) |
Terraform |
130 |
CKV_AWS_78 |
resource |
aws_codebuild_project |
Ensure that CodeBuild Project encryption is not disabled |
Terraform |
131 |
CKV_AWS_79 |
resource |
aws_instance |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
132 |
CKV_AWS_79 |
resource |
aws_launch_configuration |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
133 |
CKV_AWS_79 |
resource |
aws_launch_template |
Ensure Instance Metadata Service Version 1 is not enabled |
Terraform |
134 |
CKV_AWS_80 |
resource |
aws_msk_cluster |
Ensure MSK Cluster logging is enabled |
Terraform |
135 |
CKV_AWS_81 |
resource |
aws_msk_cluster |
Ensure MSK Cluster encryption in rest and transit is enabled |
Terraform |
136 |
CKV_AWS_82 |
resource |
aws_athena_workgroup |
Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption |
Terraform |
137 |
CKV_AWS_83 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain enforces HTTPS |
Terraform |
138 |
CKV_AWS_83 |
resource |
aws_opensearch_domain |
Ensure Elasticsearch Domain enforces HTTPS |
Terraform |
139 |
CKV_AWS_84 |
resource |
aws_elasticsearch_domain |
Ensure Elasticsearch Domain Logging is enabled |
Terraform |
140 |
CKV_AWS_84 |
resource |
aws_opensearch_domain |
Ensure Elasticsearch Domain Logging is enabled |
Terraform |
141 |
CKV_AWS_85 |
resource |
aws_docdb_cluster |
Ensure DocDB Logging is enabled |
Terraform |
142 |
CKV_AWS_86 |
resource |
aws_cloudfront_distribution |
Ensure Cloudfront distribution has Access Logging enabled |
Terraform |
143 |
CKV_AWS_87 |
resource |
aws_redshift_cluster |
Redshift cluster should not be publicly accessible |
Terraform |
144 |
CKV_AWS_88 |
resource |
aws_instance |
EC2 instance should not have public IP. |
Terraform |
145 |
CKV_AWS_88 |
resource |
aws_launch_template |
EC2 instance should not have public IP. |
Terraform |
146 |
CKV_AWS_89 |
resource |
aws_dms_replication_instance |
DMS replication instance should not be publicly accessible |
Terraform |
147 |
CKV_AWS_90 |
resource |
aws_docdb_cluster_parameter_group |
Ensure DocDB TLS is not disabled |
Terraform |
148 |
CKV_AWS_91 |
resource |
aws_alb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
149 |
CKV_AWS_91 |
resource |
aws_lb |
Ensure the ELBv2 (Application/Network) has access logging enabled |
Terraform |
150 |
CKV_AWS_92 |
resource |
aws_elb |
Ensure the ELB has access logging enabled |
Terraform |
151 |
CKV_AWS_93 |
resource |
aws_s3_bucket |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
152 |
CKV_AWS_93 |
resource |
aws_s3_bucket_policy |
Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) |
Terraform |
153 |
CKV_AWS_94 |
resource |
aws_glue_data_catalog_encryption_settings |
Ensure Glue Data Catalog Encryption is enabled |
Terraform |
154 |
CKV_AWS_96 |
resource |
aws_rds_cluster |
Ensure all data stored in Aurora is securely encrypted at rest |
Terraform |
155 |
CKV_AWS_97 |
resource |
aws_ecs_task_definition |
Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions |
Terraform |
156 |
CKV_AWS_98 |
resource |
aws_sagemaker_endpoint_configuration |
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest |
Terraform |
157 |
CKV_AWS_99 |
resource |
aws_glue_security_configuration |
Ensure Glue Security Configuration Encryption is enabled |
Terraform |
158 |
CKV_AWS_100 |
resource |
aws_eks_node_group |
Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 |
Terraform |
159 |
CKV_AWS_101 |
resource |
aws_neptune_cluster |
Ensure Neptune logging is enabled |
Terraform |
160 |
CKV_AWS_102 |
resource |
aws_neptune_cluster_instance |
Ensure Neptune Cluster instance is not publicly available |
Terraform |
161 |
CKV_AWS_103 |
resource |
aws_alb_listener |
Ensure that load balancer is using TLS 1.2 |
Terraform |
162 |
CKV_AWS_103 |
resource |
aws_lb_listener |
Ensure that load balancer is using TLS 1.2 |
Terraform |
163 |
CKV_AWS_104 |
resource |
aws_docdb_cluster_parameter_group |
Ensure DocDB has audit logs enabled |
Terraform |
164 |
CKV_AWS_105 |
resource |
aws_redshift_parameter_group |
Ensure Redshift uses SSL |
Terraform |
165 |
CKV_AWS_106 |
resource |
aws_ebs_encryption_by_default |
Ensure EBS default encryption is enabled |
Terraform |
166 |
CKV_AWS_107 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow credentials exposure |
Terraform |
167 |
CKV_AWS_108 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow data exfiltration |
Terraform |
168 |
CKV_AWS_109 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow permissions management / resource exposure without constraints |
Terraform |
169 |
CKV_AWS_110 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow privilege escalation |
Terraform |
170 |
CKV_AWS_111 |
data |
aws_iam_policy_document |
Ensure IAM policies does not allow write access without constraints |
Terraform |
171 |
CKV_AWS_112 |
resource |
aws_ssm_document |
Ensure Session Manager data is encrypted in transit |
Terraform |
172 |
CKV_AWS_113 |
resource |
aws_ssm_document |
Ensure Session Manager logs are enabled and encrypted |
Terraform |
173 |
CKV_AWS_114 |
resource |
aws_emr_cluster |
Ensure that EMR clusters with Kerberos have Kerberos Realm set |
Terraform |
174 |
CKV_AWS_115 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured for function-level concurrent execution limit |
Terraform |
175 |
CKV_AWS_116 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) |
Terraform |
176 |
CKV_AWS_117 |
resource |
aws_lambda_function |
Ensure that AWS Lambda function is configured inside a VPC |
Terraform |
177 |
CKV_AWS_118 |
resource |
aws_db_instance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Terraform |
178 |
CKV_AWS_118 |
resource |
aws_rds_cluster_instance |
Ensure that enhanced monitoring is enabled for Amazon RDS instances |
Terraform |
179 |
CKV_AWS_119 |
resource |
aws_dynamodb_table |
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK |
Terraform |
180 |
CKV_AWS_120 |
resource |
aws_api_gateway_stage |
Ensure API Gateway caching is enabled |
Terraform |
181 |
CKV_AWS_121 |
resource |
aws_config_configuration_aggregator |
Ensure AWS Config is enabled in all regions |
Terraform |
182 |
CKV_AWS_122 |
resource |
aws_sagemaker_notebook_instance |
Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance |
Terraform |
183 |
CKV_AWS_123 |
resource |
aws_vpc_endpoint_service |
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
Terraform |
184 |
CKV_AWS_124 |
resource |
aws_cloudformation_stack |
Ensure that CloudFormation stacks are sending event notifications to an SNS topic |
Terraform |
185 |
CKV_AWS_126 |
resource |
aws_instance |
Ensure that detailed monitoring is enabled for EC2 instances |
Terraform |
186 |
CKV_AWS_127 |
resource |
aws_elb |
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager |
Terraform |
187 |
CKV_AWS_128 |
resource |
aws_rds_cluster |
Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled |
Terraform |
188 |
CKV_AWS_129 |
resource |
aws_db_instance |
Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled |
Terraform |
189 |
CKV_AWS_130 |
resource |
aws_subnet |
Ensure VPC subnets do not assign public IP by default |
Terraform |
190 |
CKV_AWS_131 |
resource |
aws_alb |
Ensure that ALB drops HTTP headers |
Terraform |
191 |
CKV_AWS_131 |
resource |
aws_lb |
Ensure that ALB drops HTTP headers |
Terraform |
192 |
CKV_AWS_133 |
resource |
aws_db_instance |
Ensure that RDS instances has backup policy |
Terraform |
193 |
CKV_AWS_133 |
resource |
aws_rds_cluster |
Ensure that RDS instances has backup policy |
Terraform |
194 |
CKV_AWS_134 |
resource |
aws_elasticache_cluster |
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on |
Terraform |
195 |
CKV_AWS_135 |
resource |
aws_instance |
Ensure that EC2 is EBS optimized |
Terraform |
196 |
CKV_AWS_136 |
resource |
aws_ecr_repository |
Ensure that ECR repositories are encrypted using KMS |
Terraform |
197 |
CKV_AWS_137 |
resource |
aws_elasticsearch_domain |
Ensure that Elasticsearch is configured inside a VPC |
Terraform |
198 |
CKV_AWS_137 |
resource |
aws_opensearch_domain |
Ensure that Elasticsearch is configured inside a VPC |
Terraform |
199 |
CKV_AWS_138 |
resource |
aws_elb |
Ensure that ELB is cross-zone-load-balancing enabled |
Terraform |
200 |
CKV_AWS_139 |
resource |
aws_rds_cluster |
Ensure that RDS clusters have deletion protection enabled |
Terraform |
201 |
CKV_AWS_140 |
resource |
aws_rds_global_cluster |
Ensure that RDS global clusters are encrypted |
Terraform |
202 |
CKV_AWS_141 |
resource |
aws_redshift_cluster |
Ensured that redshift cluster allowing version upgrade by default |
Terraform |
203 |
CKV_AWS_142 |
resource |
aws_redshift_cluster |
Ensure that Redshift cluster is encrypted by KMS |
Terraform |
204 |
CKV_AWS_143 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has lock configuration enabled by default |
Terraform |
205 |
CKV_AWS_144 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has cross-region replication enabled |
Terraform |
206 |
CKV_AWS_144 |
resource |
aws_s3_bucket_replication_configuration |
Ensure that S3 bucket has cross-region replication enabled |
Terraform |
207 |
CKV_AWS_145 |
resource |
aws_s3_bucket |
Ensure that S3 buckets are encrypted with KMS by default |
Terraform |
208 |
CKV_AWS_145 |
resource |
aws_s3_bucket_server_side_encryption_configuration |
Ensure that S3 buckets are encrypted with KMS by default |
Terraform |
209 |
CKV_AWS_146 |
resource |
aws_db_cluster_snapshot |
Ensure that RDS database cluster snapshot is encrypted |
Terraform |
210 |
CKV_AWS_147 |
resource |
aws_codebuild_project |
Ensure that CodeBuild projects are encrypted |
Terraform |
211 |
CKV_AWS_148 |
resource |
aws_default_vpc |
Ensure no default VPC is planned to be provisioned |
Terraform |
212 |
CKV_AWS_149 |
resource |
aws_secretsmanager_secret |
Ensure that Secrets Manager secret is encrypted using KMS CMK |
Terraform |
213 |
CKV_AWS_150 |
resource |
aws_alb |
Ensure that Load Balancer has deletion protection enabled |
Terraform |
214 |
CKV_AWS_150 |
resource |
aws_lb |
Ensure that Load Balancer has deletion protection enabled |
Terraform |
215 |
CKV_AWS_152 |
resource |
aws_alb |
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled |
Terraform |
216 |
CKV_AWS_152 |
resource |
aws_lb |
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled |
Terraform |
217 |
CKV_AWS_153 |
resource |
aws_autoscaling_group |
Autoscaling groups should supply tags to launch configurations |
Terraform |
218 |
CKV_AWS_154 |
resource |
aws_redshift_cluster |
Ensure Redshift is not deployed outside of a VPC |
Terraform |
219 |
CKV_AWS_155 |
resource |
aws_workspaces_workspace |
Ensure that Workspace user volumes are encrypted |
Terraform |
220 |
CKV_AWS_156 |
resource |
aws_workspaces_workspace |
Ensure that Workspace root volumes are encrypted |
Terraform |
221 |
CKV_AWS_157 |
resource |
aws_db_instance |
Ensure that RDS instances have Multi-AZ enabled |
Terraform |
222 |
CKV_AWS_158 |
resource |
aws_cloudwatch_log_group |
Ensure that CloudWatch Log Group is encrypted by KMS |
Terraform |
223 |
CKV_AWS_159 |
resource |
aws_athena_workgroup |
Ensure that Athena Workgroup is encrypted |
Terraform |
224 |
CKV_AWS_160 |
resource |
aws_timestreamwrite_database |
Ensure that Timestream database is encrypted with KMS CMK |
Terraform |
225 |
CKV_AWS_161 |
resource |
aws_db_instance |
Ensure RDS database has IAM authentication enabled |
Terraform |
226 |
CKV_AWS_162 |
resource |
aws_rds_cluster |
Ensure RDS cluster has IAM authentication enabled |
Terraform |
227 |
CKV_AWS_163 |
resource |
aws_ecr_repository |
Ensure ECR image scanning on push is enabled |
Terraform |
228 |
CKV_AWS_164 |
resource |
aws_transfer_server |
Ensure Transfer Server is not exposed publicly. |
Terraform |
229 |
CKV_AWS_165 |
resource |
aws_dynamodb_global_table |
Ensure Dynamodb point in time recovery (backup) is enabled for global tables |
Terraform |
230 |
CKV_AWS_166 |
resource |
aws_backup_vault |
Ensure Backup Vault is encrypted at rest using KMS CMK |
Terraform |
231 |
CKV_AWS_167 |
resource |
aws_glacier_vault |
Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it |
Terraform |
232 |
CKV_AWS_168 |
resource |
aws_sqs_queue |
Ensure SQS queue policy is not public by only allowing specific services or principals to access it |
Terraform |
233 |
CKV_AWS_168 |
resource |
aws_sqs_queue_policy |
Ensure SQS queue policy is not public by only allowing specific services or principals to access it |
Terraform |
234 |
CKV_AWS_169 |
resource |
aws_sns_topic_policy |
Ensure SNS topic policy is not public by only allowing specific services or principals to access it |
Terraform |
235 |
CKV_AWS_170 |
resource |
aws_qldb_ledger |
Ensure QLDB ledger permissions mode is set to STANDARD |
Terraform |
236 |
CKV_AWS_171 |
resource |
aws_emr_security_configuration |
Ensure Cluster security configuration encryption is using SSE-KMS |
Terraform |
237 |
CKV_AWS_172 |
resource |
aws_qldb_ledger |
Ensure QLDB ledger has deletion protection enabled |
Terraform |
238 |
CKV_AWS_173 |
resource |
aws_lambda_function |
Check encryption settings for Lambda environmental variable |
Terraform |
239 |
CKV_AWS_174 |
resource |
aws_cloudfront_distribution |
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 |
Terraform |
240 |
CKV_AWS_175 |
resource |
aws_waf_web_acl |
Ensure WAF has associated rules |
Terraform |
241 |
CKV_AWS_175 |
resource |
aws_wafregional_web_acl |
Ensure WAF has associated rules |
Terraform |
242 |
CKV_AWS_175 |
resource |
aws_wafv2_web_acl |
Ensure WAF has associated rules |
Terraform |
243 |
CKV_AWS_176 |
resource |
aws_waf_web_acl |
Ensure Logging is enabled for WAF Web Access Control Lists |
Terraform |
244 |
CKV_AWS_176 |
resource |
aws_wafregional_web_acl |
Ensure Logging is enabled for WAF Web Access Control Lists |
Terraform |
245 |
CKV_AWS_177 |
resource |
aws_kinesis_video_stream |
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
246 |
CKV_AWS_178 |
resource |
aws_fsx_ontap_file_system |
Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
247 |
CKV_AWS_179 |
resource |
aws_fsx_windows_file_system |
Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
248 |
CKV_AWS_180 |
resource |
aws_imagebuilder_component |
Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
249 |
CKV_AWS_181 |
resource |
aws_s3_object_copy |
Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
250 |
CKV_AWS_182 |
resource |
aws_docdb_cluster |
Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
251 |
CKV_AWS_183 |
resource |
aws_ebs_snapshot_copy |
Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
252 |
CKV_AWS_184 |
resource |
aws_efs_file_system |
Ensure resource is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
253 |
CKV_AWS_185 |
resource |
aws_kinesis_stream |
Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
254 |
CKV_AWS_186 |
resource |
aws_s3_bucket_object |
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
255 |
CKV_AWS_187 |
resource |
aws_sagemaker_domain |
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
256 |
CKV_AWS_188 |
resource |
aws_redshift_cluster |
Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
257 |
CKV_AWS_189 |
resource |
aws_ebs_volume |
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
258 |
CKV_AWS_190 |
resource |
aws_fsx_lustre_file_system |
Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
259 |
CKV_AWS_191 |
resource |
aws_elasticache_replication_group |
Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
260 |
CKV_AWS_192 |
resource |
aws_wafv2_web_acl |
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Terraform |
261 |
CKV_AWS_193 |
resource |
aws_appsync_graphql_api |
Ensure AppSync has Logging enabled |
Terraform |
262 |
CKV_AWS_194 |
resource |
aws_appsync_graphql_api |
Ensure AppSync has Field-Level logs enabled |
Terraform |
263 |
CKV_AWS_195 |
resource |
aws_glue_crawler |
Ensure Glue component has a security configuration associated |
Terraform |
264 |
CKV_AWS_195 |
resource |
aws_glue_dev_endpoint |
Ensure Glue component has a security configuration associated |
Terraform |
265 |
CKV_AWS_195 |
resource |
aws_glue_job |
Ensure Glue component has a security configuration associated |
Terraform |
266 |
CKV_AWS_196 |
resource |
aws_elasticache_security_group |
Ensure no aws_elasticache_security_group resources exist |
Terraform |
267 |
CKV_AWS_197 |
resource |
aws_mq_broker |
Ensure MQ Broker Audit logging is enabled |
Terraform |
268 |
CKV_AWS_198 |
resource |
aws_db_security_group |
Ensure no aws_db_security_group resources exist |
Terraform |
269 |
CKV_AWS_199 |
resource |
aws_imagebuilder_distribution_configuration |
Ensure Image Builder Distribution Configuration encrypts AMI’s using KMS - a customer managed Key (CMK) |
Terraform |
270 |
CKV_AWS_200 |
resource |
aws_imagebuilder_image_recipe |
Ensure that Image Recipe EBS Disk are encrypted with CMK |
Terraform |
271 |
CKV_AWS_201 |
resource |
aws_memorydb_cluster |
Ensure MemoryDB is encrypted at rest using KMS CMKs |
Terraform |
272 |
CKV_AWS_202 |
resource |
aws_memorydb_cluster |
Ensure MemoryDB data is encrypted in transit |
Terraform |
273 |
CKV_AWS_203 |
resource |
aws_fsx_openzfs_file_system |
Ensure resource is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
274 |
CKV_AWS_204 |
resource |
aws_ami |
Ensure AMIs are encrypted using KMS CMKs |
Terraform |
275 |
CKV_AWS_205 |
resource |
aws_ami_launch_permission |
Ensure to Limit AMI launch Permissions |
Terraform |
276 |
CKV_AWS_206 |
resource |
aws_api_gateway_domain_name |
Ensure API Gateway Domain uses a modern security Policy |
Terraform |
277 |
CKV_AWS_207 |
resource |
aws_mq_broker |
Ensure MQ Broker minor version updates are enabled |
Terraform |
278 |
CKV_AWS_208 |
resource |
aws_mq_broker |
Ensure MQBroker version is current |
Terraform |
279 |
CKV_AWS_208 |
resource |
aws_mq_configuration |
Ensure MQBroker version is current |
Terraform |
280 |
CKV_AWS_209 |
resource |
aws_mq_broker |
Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) |
Terraform |
281 |
CKV_AWS_210 |
resource |
aws_batch_job_definition |
Batch job does not define a privileged container |
Terraform |
282 |
CKV_AWS_211 |
resource |
aws_db_instance |
Ensure RDS uses a modern CaCert |
Terraform |
283 |
CKV_AWS_212 |
resource |
aws_dms_replication_instance |
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
284 |
CKV_AWS_213 |
resource |
aws_load_balancer_policy |
Ensure ELB Policy uses only secure protocols |
Terraform |
285 |
CKV_AWS_214 |
resource |
aws_appsync_api_cache |
Ensure Appsync API Cache is encrypted at rest |
Terraform |
286 |
CKV_AWS_215 |
resource |
aws_appsync_api_cache |
Ensure Appsync API Cache is encrypted in transit |
Terraform |
287 |
CKV_AWS_216 |
resource |
aws_cloudfront_distribution |
Ensure Cloudfront distribution is enabled |
Terraform |
288 |
CKV_AWS_217 |
resource |
aws_api_gateway_deployment |
Ensure Create before destroy for API deployments |
Terraform |
289 |
CKV_AWS_218 |
resource |
aws_cloudsearch_domain |
Ensure that Cloudsearch is using latest TLS |
Terraform |
290 |
CKV_AWS_219 |
resource |
aws_codepipeline |
Ensure Code Pipeline Artifact store is using a KMS CMK |
Terraform |
291 |
CKV_AWS_220 |
resource |
aws_cloudsearch_domain |
Ensure that Cloudsearch is using https |
Terraform |
292 |
CKV_AWS_221 |
resource |
aws_codeartifact_domain |
Ensure Code artifact Domain is encrypted by KMS using a customer managed Key (CMK) |
Terraform |
293 |
CKV_AWS_222 |
resource |
aws_dms_replication_instance |
Ensure DMS instance gets all minor upgrade automatically |
Terraform |
294 |
CKV_AWS_223 |
resource |
aws_ecs_cluster |
Ensure ECS Cluster enables logging of ECS Exec |
Terraform |
295 |
CKV_AWS_224 |
resource |
aws_ecs_cluster |
Ensure Cluster logging with CMK |
Terraform |
296 |
CKV_AWS_225 |
resource |
aws_api_gateway_method_settings |
Ensure API Gateway method setting caching is enabled |
Terraform |
297 |
CKV_AWS_226 |
resource |
aws_db_instance |
Ensure DB instance gets all minor upgrades automatically |
Terraform |
298 |
CKV_AWS_226 |
resource |
aws_rds_cluster_instance |
Ensure DB instance gets all minor upgrades automatically |
Terraform |
299 |
CKV_AWS_227 |
resource |
aws_kms_key |
Ensure KMS key is enabled |
Terraform |
300 |
CKV_AWS_228 |
resource |
aws_elasticsearch_domain |
Verify Elasticsearch domain is using an up to date TLS policy |
Terraform |
301 |
CKV_AWS_228 |
resource |
aws_opensearch_domain |
Verify Elasticsearch domain is using an up to date TLS policy |
Terraform |
302 |
CKV_AWS_229 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 |
Terraform |
303 |
CKV_AWS_229 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 |
Terraform |
304 |
CKV_AWS_230 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 |
Terraform |
305 |
CKV_AWS_230 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 |
Terraform |
306 |
CKV_AWS_231 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
307 |
CKV_AWS_231 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 |
Terraform |
308 |
CKV_AWS_232 |
resource |
aws_network_acl |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
309 |
CKV_AWS_232 |
resource |
aws_network_acl_rule |
Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 |
Terraform |
310 |
CKV_AWS_233 |
resource |
aws_acm_certificate |
Ensure Create before destroy for ACM certificates |
Terraform |
311 |
CKV_AWS_234 |
resource |
aws_acm_certificate |
Verify logging preference for ACM certificates |
Terraform |
312 |
CKV_AWS_235 |
resource |
aws_ami_copy |
Ensure that copied AMIs are encrypted |
Terraform |
313 |
CKV_AWS_236 |
resource |
aws_ami_copy |
Ensure AMI copying uses a CMK |
Terraform |
314 |
CKV_AWS_237 |
resource |
aws_api_gateway_rest_api |
Ensure Create before destroy for API GATEWAY |
Terraform |
315 |
CKV_AWS_238 |
resource |
aws_guardduty_detector |
Ensure that Guard Duty detector is enabled |
Terraform |
316 |
CKV_AWS_239 |
resource |
aws_dax_cluster |
Ensure DAX cluster endpoint is using TLS |
Terraform |
317 |
CKV_AWS_240 |
resource |
aws_kinesis_firehose_delivery_stream |
Ensure Kinesis Firehose delivery stream is encrypted |
Terraform |
318 |
CKV_AWS_241 |
resource |
aws_kinesis_firehose_delivery_stream |
Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK |
Terraform |
319 |
CKV_AWS_242 |
resource |
aws_mwaa_environment |
Ensure MWAA environment has scheduler logs enabled |
Terraform |
320 |
CKV_AWS_243 |
resource |
aws_mwaa_environment |
Ensure MWAA environment has worker logs enabled |
Terraform |
321 |
CKV_AWS_244 |
resource |
aws_mwaa_environment |
Ensure MWAA environment has webserver logs enabled |
Terraform |
322 |
CKV_AWS_245 |
resource |
aws_db_instance_automated_backups_replication |
Ensure replicated backups are encrypted at rest using KMS CMKs |
Terraform |
323 |
CKV_AWS_246 |
resource |
aws_rds_cluster_activity_stream |
Ensure RDS Cluster activity streams are encrypted using KMS CMKs |
Terraform |
324 |
CKV_AWS_247 |
resource |
aws_elasticsearch_domain |
Ensure all data stored in the Elasticsearch is encrypted with a CMK |
Terraform |
325 |
CKV_AWS_247 |
resource |
aws_opensearch_domain |
Ensure all data stored in the Elasticsearch is encrypted with a CMK |
Terraform |
326 |
CKV_AWS_248 |
resource |
aws_elasticsearch_domain |
Ensure that Elasticsearch is not using the default Security Group |
Terraform |
327 |
CKV_AWS_248 |
resource |
aws_opensearch_domain |
Ensure that Elasticsearch is not using the default Security Group |
Terraform |
328 |
CKV_AWS_249 |
resource |
aws_ecs_task_definition |
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions |
Terraform |
329 |
CKV_AWS_250 |
resource |
aws_db_instance |
Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) |
Terraform |
330 |
CKV_AWS_250 |
resource |
aws_rds_cluster |
Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) |
Terraform |
331 |
CKV_AWS_251 |
resource |
aws_cloudtrail |
Ensure CloudTrail logging is enabled |
Terraform |
332 |
CKV_AWS_252 |
resource |
aws_cloudtrail |
Ensure CloudTrail defines an SNS Topic |
Terraform |
333 |
CKV_AWS_253 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region events are encrypted |
Terraform |
334 |
CKV_AWS_254 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region events are encrypted with Customer Managed Key |
Terraform |
335 |
CKV_AWS_255 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region schedules are encrypted |
Terraform |
336 |
CKV_AWS_256 |
resource |
aws_dlm_lifecycle_policy |
Ensure DLM cross region schedules are encrypted using a Customer Managed Key |
Terraform |
337 |
CKV_AWS_257 |
resource |
aws_codecommit_approval_rule_template |
Ensure codecommit branch changes have at least 2 approvals |
Terraform |
338 |
CKV_AWS_258 |
resource |
aws_lambda_function_url |
Ensure that Lambda function URLs AuthType is not None |
Terraform |
339 |
CKV_AWS_259 |
resource |
aws_cloudfront_response_headers_policy |
Ensure CloudFront response header policy enforces Strict Transport Security |
Terraform |
340 |
CKV_AWS_260 |
resource |
aws_security_group |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Terraform |
341 |
CKV_AWS_260 |
resource |
aws_security_group_rule |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 |
Terraform |
342 |
CKV2_AWS_1 |
resource |
aws_network_acl |
Ensure that all NACL are attached to subnets |
Terraform |
343 |
CKV2_AWS_1 |
resource |
aws_subnet |
Ensure that all NACL are attached to subnets |
Terraform |
344 |
CKV2_AWS_2 |
resource |
aws_ebs_volume |
Ensure that only encrypted EBS volumes are attached to EC2 instances |
Terraform |
345 |
CKV2_AWS_2 |
resource |
aws_volume_attachment |
Ensure that only encrypted EBS volumes are attached to EC2 instances |
Terraform |
346 |
CKV2_AWS_3 |
resource |
aws_guardduty_detector |
Ensure GuardDuty is enabled to specific org/region |
Terraform |
347 |
CKV2_AWS_3 |
resource |
aws_guardduty_organization_configuration |
Ensure GuardDuty is enabled to specific org/region |
Terraform |
348 |
CKV2_AWS_4 |
resource |
aws_api_gateway_method_settings |
Ensure API Gateway stage have logging level defined as appropriate |
Terraform |
349 |
CKV2_AWS_4 |
resource |
aws_api_gateway_stage |
Ensure API Gateway stage have logging level defined as appropriate |
Terraform |
350 |
CKV2_AWS_5 |
resource |
aws_security_group |
Ensure that Security Groups are attached to another resource |
Terraform |
351 |
CKV2_AWS_6 |
resource |
aws_s3_bucket |
Ensure that S3 bucket has a Public Access block |
Terraform |
352 |
CKV2_AWS_6 |
resource |
aws_s3_bucket_public_access_block |
Ensure that S3 bucket has a Public Access block |
Terraform |
353 |
CKV2_AWS_7 |
resource |
aws_emr_cluster |
Ensure that Amazon EMR clusters’ security groups are not open to the world |
Terraform |
354 |
CKV2_AWS_7 |
resource |
aws_security_group |
Ensure that Amazon EMR clusters’ security groups are not open to the world |
Terraform |
355 |
CKV2_AWS_8 |
resource |
aws_rds_cluster |
Ensure that RDS clusters has backup plan of AWS Backup |
Terraform |
356 |
CKV2_AWS_9 |
resource |
aws_backup_selection |
Ensure that EBS are added in the backup plans of AWS Backup |
Terraform |
357 |
CKV2_AWS_10 |
resource |
aws_cloudtrail |
Ensure CloudTrail trails are integrated with CloudWatch Logs |
Terraform |
358 |
CKV2_AWS_11 |
resource |
aws_vpc |
Ensure VPC flow logging is enabled in all VPCs |
Terraform |
359 |
CKV2_AWS_12 |
resource |
aws_default_security_group |
Ensure the default security group of every VPC restricts all traffic |
Terraform |
360 |
CKV2_AWS_12 |
resource |
aws_vpc |
Ensure the default security group of every VPC restricts all traffic |
Terraform |
361 |
CKV2_AWS_14 |
resource |
aws_iam_group |
Ensure that IAM groups includes at least one IAM user |
Terraform |
362 |
CKV2_AWS_14 |
resource |
aws_iam_group_membership |
Ensure that IAM groups includes at least one IAM user |
Terraform |
363 |
CKV2_AWS_15 |
resource |
aws_autoscaling_group |
Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. |
Terraform |
364 |
CKV2_AWS_15 |
resource |
aws_elb |
Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. |
Terraform |
365 |
CKV2_AWS_16 |
resource |
aws_appautoscaling_target |
Ensure that Auto Scaling is enabled on your DynamoDB tables |
Terraform |
366 |
CKV2_AWS_16 |
resource |
aws_dynamodb_table |
Ensure that Auto Scaling is enabled on your DynamoDB tables |
Terraform |
367 |
CKV2_AWS_18 |
resource |
aws_backup_selection |
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup |
Terraform |
368 |
CKV2_AWS_19 |
resource |
aws_eip |
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances |
Terraform |
369 |
CKV2_AWS_19 |
resource |
aws_eip_association |
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances |
Terraform |
370 |
CKV2_AWS_20 |
resource |
aws_alb |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
371 |
CKV2_AWS_20 |
resource |
aws_alb_listener |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
372 |
CKV2_AWS_20 |
resource |
aws_lb |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
373 |
CKV2_AWS_20 |
resource |
aws_lb_listener |
Ensure that ALB redirects HTTP requests into HTTPS ones |
Terraform |
374 |
CKV2_AWS_21 |
resource |
aws_iam_group_membership |
Ensure that all IAM users are members of at least one IAM group. |
Terraform |
375 |
CKV2_AWS_22 |
resource |
aws_iam_user |
Ensure an IAM User does not have access to the console |
Terraform |
376 |
CKV2_AWS_23 |
resource |
aws_route53_record |
Route53 A Record has Attached Resource |
Terraform |
377 |
CKV2_AWS_27 |
resource |
aws_rds_cluster |
Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled |
Terraform |
378 |
CKV2_AWS_27 |
resource |
aws_rds_cluster_parameter_group |
Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled |
Terraform |
379 |
CKV2_AWS_28 |
resource |
aws_alb |
Ensure public facing ALB are protected by WAF |
Terraform |
380 |
CKV2_AWS_28 |
resource |
aws_lb |
Ensure public facing ALB are protected by WAF |
Terraform |
381 |
CKV2_AWS_29 |
resource |
aws_api_gateway_rest_api |
Ensure public API gateway are protected by WAF |
Terraform |
382 |
CKV2_AWS_29 |
resource |
aws_api_gateway_stage |
Ensure public API gateway are protected by WAF |
Terraform |
383 |
CKV2_AWS_30 |
resource |
aws_db_instance |
Ensure Postgres RDS as aws_db_instance has Query Logging enabled |
Terraform |
384 |
CKV2_AWS_30 |
resource |
aws_db_parameter_group |
Ensure Postgres RDS as aws_db_instance has Query Logging enabled |
Terraform |
385 |
CKV2_AWS_31 |
resource |
aws_wafv2_web_acl |
Ensure WAF2 has a Logging Configuration |
Terraform |
386 |
CKV2_AWS_32 |
resource |
aws_cloudfront_distribution |
Ensure CloudFront distribution has a response headers policy attached |
Terraform |
387 |
CKV2_AWS_33 |
resource |
aws_appsync_graphql_api |
Ensure AppSync is protected by WAF |
Terraform |
388 |
CKV2_AWS_34 |
resource |
aws_ssm_parameter |
AWS SSM Parameter should be Encrypted |
Terraform |
389 |
CKV2_AWS_35 |
resource |
aws_route |
AWS NAT Gateways should be utilized for the default route |
Terraform |
390 |
CKV2_AWS_35 |
resource |
aws_route_table |
AWS NAT Gateways should be utilized for the default route |
Terraform |
391 |
CKV2_AWS_36 |
resource |
aws_ssm_parameter |
Ensure terraform is not sending SSM secrets to untrusted domains over HTTP |
Terraform |
392 |
CKV2_AWS_36 |
resource |
data.http |
Ensure terraform is not sending SSM secrets to untrusted domains over HTTP |
Terraform |
393 |
CKV2_AWS_37 |
resource |
aws |
Ensure Codecommit associates an approval rule |
Terraform |
394 |
CKV2_AWS_37 |
resource |
aws_accessanalyzer_analyzer |
Ensure Codecommit associates an approval rule |
Terraform |
395 |
CKV2_AWS_37 |
resource |
aws_acm_certificate |
Ensure Codecommit associates an approval rule |
Terraform |
396 |
CKV2_AWS_37 |
resource |
aws_acm_certificate_validation |
Ensure Codecommit associates an approval rule |
Terraform |
397 |
CKV2_AWS_37 |
resource |
aws_acmpca_certificate_authority |
Ensure Codecommit associates an approval rule |
Terraform |
398 |
CKV2_AWS_37 |
resource |
aws_ami |
Ensure Codecommit associates an approval rule |
Terraform |
399 |
CKV2_AWS_37 |
resource |
aws_ami_copy |
Ensure Codecommit associates an approval rule |
Terraform |
400 |
CKV2_AWS_37 |
resource |
aws_ami_from_instance |
Ensure Codecommit associates an approval rule |
Terraform |
401 |
CKV2_AWS_37 |
resource |
aws_ami_launch_permission |
Ensure Codecommit associates an approval rule |
Terraform |
402 |
CKV2_AWS_37 |
resource |
aws_api_gateway_account |
Ensure Codecommit associates an approval rule |
Terraform |
403 |
CKV2_AWS_37 |
resource |
aws_api_gateway_api_key |
Ensure Codecommit associates an approval rule |
Terraform |
404 |
CKV2_AWS_37 |
resource |
aws_api_gateway_authorizer |
Ensure Codecommit associates an approval rule |
Terraform |
405 |
CKV2_AWS_37 |
resource |
aws_api_gateway_base_path_mapping |
Ensure Codecommit associates an approval rule |
Terraform |
406 |
CKV2_AWS_37 |
resource |
aws_api_gateway_client_certificate |
Ensure Codecommit associates an approval rule |
Terraform |
407 |
CKV2_AWS_37 |
resource |
aws_api_gateway_deployment |
Ensure Codecommit associates an approval rule |
Terraform |
408 |
CKV2_AWS_37 |
resource |
aws_api_gateway_documentation_part |
Ensure Codecommit associates an approval rule |
Terraform |
409 |
CKV2_AWS_37 |
resource |
aws_api_gateway_documentation_version |
Ensure Codecommit associates an approval rule |
Terraform |
410 |
CKV2_AWS_37 |
resource |
aws_api_gateway_domain_name |
Ensure Codecommit associates an approval rule |
Terraform |
411 |
CKV2_AWS_37 |
resource |
aws_api_gateway_gateway_response |
Ensure Codecommit associates an approval rule |
Terraform |
412 |
CKV2_AWS_37 |
resource |
aws_api_gateway_integration |
Ensure Codecommit associates an approval rule |
Terraform |
413 |
CKV2_AWS_37 |
resource |
aws_api_gateway_integration_response |
Ensure Codecommit associates an approval rule |
Terraform |
414 |
CKV2_AWS_37 |
resource |
aws_api_gateway_method |
Ensure Codecommit associates an approval rule |
Terraform |
415 |
CKV2_AWS_37 |
resource |
aws_api_gateway_method_response |
Ensure Codecommit associates an approval rule |
Terraform |
416 |
CKV2_AWS_37 |
resource |
aws_api_gateway_method_settings |
Ensure Codecommit associates an approval rule |
Terraform |
417 |
CKV2_AWS_37 |
resource |
aws_api_gateway_model |
Ensure Codecommit associates an approval rule |
Terraform |
418 |
CKV2_AWS_37 |
resource |
aws_api_gateway_request_validator |
Ensure Codecommit associates an approval rule |
Terraform |
419 |
CKV2_AWS_37 |
resource |
aws_api_gateway_resource |
Ensure Codecommit associates an approval rule |
Terraform |
420 |
CKV2_AWS_37 |
resource |
aws_api_gateway_rest_api |
Ensure Codecommit associates an approval rule |
Terraform |
421 |
CKV2_AWS_37 |
resource |
aws_api_gateway_stage |
Ensure Codecommit associates an approval rule |
Terraform |
422 |
CKV2_AWS_37 |
resource |
aws_api_gateway_usage_plan |
Ensure Codecommit associates an approval rule |
Terraform |
423 |
CKV2_AWS_37 |
resource |
aws_api_gateway_usage_plan_key |
Ensure Codecommit associates an approval rule |
Terraform |
424 |
CKV2_AWS_37 |
resource |
aws_api_gateway_vpc_link |
Ensure Codecommit associates an approval rule |
Terraform |
425 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_api |
Ensure Codecommit associates an approval rule |
Terraform |
426 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_api_mapping |
Ensure Codecommit associates an approval rule |
Terraform |
427 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_authorizer |
Ensure Codecommit associates an approval rule |
Terraform |
428 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_deployment |
Ensure Codecommit associates an approval rule |
Terraform |
429 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_domain_name |
Ensure Codecommit associates an approval rule |
Terraform |
430 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_integration |
Ensure Codecommit associates an approval rule |
Terraform |
431 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_integration_response |
Ensure Codecommit associates an approval rule |
Terraform |
432 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_model |
Ensure Codecommit associates an approval rule |
Terraform |
433 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_route |
Ensure Codecommit associates an approval rule |
Terraform |
434 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_route_response |
Ensure Codecommit associates an approval rule |
Terraform |
435 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_stage |
Ensure Codecommit associates an approval rule |
Terraform |
436 |
CKV2_AWS_37 |
resource |
aws_apigatewayv2_vpc_link |
Ensure Codecommit associates an approval rule |
Terraform |
437 |
CKV2_AWS_37 |
resource |
aws_app_cookie_stickiness_policy |
Ensure Codecommit associates an approval rule |
Terraform |
438 |
CKV2_AWS_37 |
resource |
aws_appautoscaling_policy |
Ensure Codecommit associates an approval rule |
Terraform |
439 |
CKV2_AWS_37 |
resource |
aws_appautoscaling_scheduled_action |
Ensure Codecommit associates an approval rule |
Terraform |
440 |
CKV2_AWS_37 |
resource |
aws_appautoscaling_target |
Ensure Codecommit associates an approval rule |
Terraform |
441 |
CKV2_AWS_37 |
resource |
aws_appmesh_mesh |
Ensure Codecommit associates an approval rule |
Terraform |
442 |
CKV2_AWS_37 |
resource |
aws_appmesh_route |
Ensure Codecommit associates an approval rule |
Terraform |
443 |
CKV2_AWS_37 |
resource |
aws_appmesh_virtual_node |
Ensure Codecommit associates an approval rule |
Terraform |
444 |
CKV2_AWS_37 |
resource |
aws_appmesh_virtual_router |
Ensure Codecommit associates an approval rule |
Terraform |
445 |
CKV2_AWS_37 |
resource |
aws_appmesh_virtual_service |
Ensure Codecommit associates an approval rule |
Terraform |
446 |
CKV2_AWS_37 |
resource |
aws_appsync_api_key |
Ensure Codecommit associates an approval rule |
Terraform |
447 |
CKV2_AWS_37 |
resource |
aws_appsync_datasource |
Ensure Codecommit associates an approval rule |
Terraform |
448 |
CKV2_AWS_37 |
resource |
aws_appsync_function |
Ensure Codecommit associates an approval rule |
Terraform |
449 |
CKV2_AWS_37 |
resource |
aws_appsync_graphql_api |
Ensure Codecommit associates an approval rule |
Terraform |
450 |
CKV2_AWS_37 |
resource |
aws_appsync_resolver |
Ensure Codecommit associates an approval rule |
Terraform |
451 |
CKV2_AWS_37 |
resource |
aws_athena_database |
Ensure Codecommit associates an approval rule |
Terraform |
452 |
CKV2_AWS_37 |
resource |
aws_athena_named_query |
Ensure Codecommit associates an approval rule |
Terraform |
453 |
CKV2_AWS_37 |
resource |
aws_athena_workgroup |
Ensure Codecommit associates an approval rule |
Terraform |
454 |
CKV2_AWS_37 |
resource |
aws_autoscaling_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
455 |
CKV2_AWS_37 |
resource |
aws_autoscaling_group |
Ensure Codecommit associates an approval rule |
Terraform |
456 |
CKV2_AWS_37 |
resource |
aws_autoscaling_lifecycle_hook |
Ensure Codecommit associates an approval rule |
Terraform |
457 |
CKV2_AWS_37 |
resource |
aws_autoscaling_notification |
Ensure Codecommit associates an approval rule |
Terraform |
458 |
CKV2_AWS_37 |
resource |
aws_autoscaling_policy |
Ensure Codecommit associates an approval rule |
Terraform |
459 |
CKV2_AWS_37 |
resource |
aws_autoscaling_schedule |
Ensure Codecommit associates an approval rule |
Terraform |
460 |
CKV2_AWS_37 |
resource |
aws_backup_plan |
Ensure Codecommit associates an approval rule |
Terraform |
461 |
CKV2_AWS_37 |
resource |
aws_backup_selection |
Ensure Codecommit associates an approval rule |
Terraform |
462 |
CKV2_AWS_37 |
resource |
aws_backup_vault |
Ensure Codecommit associates an approval rule |
Terraform |
463 |
CKV2_AWS_37 |
resource |
aws_batch_compute_environment |
Ensure Codecommit associates an approval rule |
Terraform |
464 |
CKV2_AWS_37 |
resource |
aws_batch_job_definition |
Ensure Codecommit associates an approval rule |
Terraform |
465 |
CKV2_AWS_37 |
resource |
aws_batch_job_queue |
Ensure Codecommit associates an approval rule |
Terraform |
466 |
CKV2_AWS_37 |
resource |
aws_budgets_budget |
Ensure Codecommit associates an approval rule |
Terraform |
467 |
CKV2_AWS_37 |
resource |
aws_cloud9_environment_ec2 |
Ensure Codecommit associates an approval rule |
Terraform |
468 |
CKV2_AWS_37 |
resource |
aws_cloudformation_stack |
Ensure Codecommit associates an approval rule |
Terraform |
469 |
CKV2_AWS_37 |
resource |
aws_cloudformation_stack_set |
Ensure Codecommit associates an approval rule |
Terraform |
470 |
CKV2_AWS_37 |
resource |
aws_cloudformation_stack_set_instance |
Ensure Codecommit associates an approval rule |
Terraform |
471 |
CKV2_AWS_37 |
resource |
aws_cloudfront_distribution |
Ensure Codecommit associates an approval rule |
Terraform |
472 |
CKV2_AWS_37 |
resource |
aws_cloudfront_origin_access_identity |
Ensure Codecommit associates an approval rule |
Terraform |
473 |
CKV2_AWS_37 |
resource |
aws_cloudfront_public_key |
Ensure Codecommit associates an approval rule |
Terraform |
474 |
CKV2_AWS_37 |
resource |
aws_cloudhsm_v2_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
475 |
CKV2_AWS_37 |
resource |
aws_cloudhsm_v2_hsm |
Ensure Codecommit associates an approval rule |
Terraform |
476 |
CKV2_AWS_37 |
resource |
aws_cloudtrail |
Ensure Codecommit associates an approval rule |
Terraform |
477 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_dashboard |
Ensure Codecommit associates an approval rule |
Terraform |
478 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_event_permission |
Ensure Codecommit associates an approval rule |
Terraform |
479 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_event_rule |
Ensure Codecommit associates an approval rule |
Terraform |
480 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_event_target |
Ensure Codecommit associates an approval rule |
Terraform |
481 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_destination |
Ensure Codecommit associates an approval rule |
Terraform |
482 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_destination_policy |
Ensure Codecommit associates an approval rule |
Terraform |
483 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_group |
Ensure Codecommit associates an approval rule |
Terraform |
484 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_metric_filter |
Ensure Codecommit associates an approval rule |
Terraform |
485 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_resource_policy |
Ensure Codecommit associates an approval rule |
Terraform |
486 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_stream |
Ensure Codecommit associates an approval rule |
Terraform |
487 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_log_subscription_filter |
Ensure Codecommit associates an approval rule |
Terraform |
488 |
CKV2_AWS_37 |
resource |
aws_cloudwatch_metric_alarm |
Ensure Codecommit associates an approval rule |
Terraform |
489 |
CKV2_AWS_37 |
resource |
aws_codebuild_project |
Ensure Codecommit associates an approval rule |
Terraform |
490 |
CKV2_AWS_37 |
resource |
aws_codebuild_source_credential |
Ensure Codecommit associates an approval rule |
Terraform |
491 |
CKV2_AWS_37 |
resource |
aws_codebuild_webhook |
Ensure Codecommit associates an approval rule |
Terraform |
492 |
CKV2_AWS_37 |
resource |
aws_codecommit_repository |
Ensure Codecommit associates an approval rule |
Terraform |
493 |
CKV2_AWS_37 |
resource |
aws_codecommit_trigger |
Ensure Codecommit associates an approval rule |
Terraform |
494 |
CKV2_AWS_37 |
resource |
aws_codedeploy_app |
Ensure Codecommit associates an approval rule |
Terraform |
495 |
CKV2_AWS_37 |
resource |
aws_codedeploy_deployment_config |
Ensure Codecommit associates an approval rule |
Terraform |
496 |
CKV2_AWS_37 |
resource |
aws_codedeploy_deployment_group |
Ensure Codecommit associates an approval rule |
Terraform |
497 |
CKV2_AWS_37 |
resource |
aws_codepipeline |
Ensure Codecommit associates an approval rule |
Terraform |
498 |
CKV2_AWS_37 |
resource |
aws_codepipeline_webhook |
Ensure Codecommit associates an approval rule |
Terraform |
499 |
CKV2_AWS_37 |
resource |
aws_codestarnotifications_notification_rule |
Ensure Codecommit associates an approval rule |
Terraform |
500 |
CKV2_AWS_37 |
resource |
aws_cognito_identity_pool |
Ensure Codecommit associates an approval rule |
Terraform |
501 |
CKV2_AWS_37 |
resource |
aws_cognito_identity_pool_roles_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
502 |
CKV2_AWS_37 |
resource |
aws_cognito_identity_provider |
Ensure Codecommit associates an approval rule |
Terraform |
503 |
CKV2_AWS_37 |
resource |
aws_cognito_resource_server |
Ensure Codecommit associates an approval rule |
Terraform |
504 |
CKV2_AWS_37 |
resource |
aws_cognito_user_group |
Ensure Codecommit associates an approval rule |
Terraform |
505 |
CKV2_AWS_37 |
resource |
aws_cognito_user_pool |
Ensure Codecommit associates an approval rule |
Terraform |
506 |
CKV2_AWS_37 |
resource |
aws_cognito_user_pool_client |
Ensure Codecommit associates an approval rule |
Terraform |
507 |
CKV2_AWS_37 |
resource |
aws_cognito_user_pool_domain |
Ensure Codecommit associates an approval rule |
Terraform |
508 |
CKV2_AWS_37 |
resource |
aws_config_aggregate_authorization |
Ensure Codecommit associates an approval rule |
Terraform |
509 |
CKV2_AWS_37 |
resource |
aws_config_config_rule |
Ensure Codecommit associates an approval rule |
Terraform |
510 |
CKV2_AWS_37 |
resource |
aws_config_configuration_aggregator |
Ensure Codecommit associates an approval rule |
Terraform |
511 |
CKV2_AWS_37 |
resource |
aws_config_configuration_recorder |
Ensure Codecommit associates an approval rule |
Terraform |
512 |
CKV2_AWS_37 |
resource |
aws_config_configuration_recorder_status |
Ensure Codecommit associates an approval rule |
Terraform |
513 |
CKV2_AWS_37 |
resource |
aws_config_delivery_channel |
Ensure Codecommit associates an approval rule |
Terraform |
514 |
CKV2_AWS_37 |
resource |
aws_config_organization_custom_rule |
Ensure Codecommit associates an approval rule |
Terraform |
515 |
CKV2_AWS_37 |
resource |
aws_config_organization_managed_rule |
Ensure Codecommit associates an approval rule |
Terraform |
516 |
CKV2_AWS_37 |
resource |
aws_cur_report_definition |
Ensure Codecommit associates an approval rule |
Terraform |
517 |
CKV2_AWS_37 |
resource |
aws_customer_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
518 |
CKV2_AWS_37 |
resource |
aws_datapipeline_pipeline |
Ensure Codecommit associates an approval rule |
Terraform |
519 |
CKV2_AWS_37 |
resource |
aws_datasync_agent |
Ensure Codecommit associates an approval rule |
Terraform |
520 |
CKV2_AWS_37 |
resource |
aws_datasync_location_efs |
Ensure Codecommit associates an approval rule |
Terraform |
521 |
CKV2_AWS_37 |
resource |
aws_datasync_location_nfs |
Ensure Codecommit associates an approval rule |
Terraform |
522 |
CKV2_AWS_37 |
resource |
aws_datasync_location_s3 |
Ensure Codecommit associates an approval rule |
Terraform |
523 |
CKV2_AWS_37 |
resource |
aws_datasync_location_smb |
Ensure Codecommit associates an approval rule |
Terraform |
524 |
CKV2_AWS_37 |
resource |
aws_datasync_task |
Ensure Codecommit associates an approval rule |
Terraform |
525 |
CKV2_AWS_37 |
resource |
aws_dax_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
526 |
CKV2_AWS_37 |
resource |
aws_dax_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
527 |
CKV2_AWS_37 |
resource |
aws_dax_subnet_group |
Ensure Codecommit associates an approval rule |
Terraform |
528 |
CKV2_AWS_37 |
resource |
aws_db_cluster_snapshot |
Ensure Codecommit associates an approval rule |
Terraform |
529 |
CKV2_AWS_37 |
resource |
aws_db_event_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
530 |
CKV2_AWS_37 |
resource |
aws_db_instance |
Ensure Codecommit associates an approval rule |
Terraform |
531 |
CKV2_AWS_37 |
resource |
aws_db_instance_role_association |
Ensure Codecommit associates an approval rule |
Terraform |
532 |
CKV2_AWS_37 |
resource |
aws_db_option_group |
Ensure Codecommit associates an approval rule |
Terraform |
533 |
CKV2_AWS_37 |
resource |
aws_db_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
534 |
CKV2_AWS_37 |
resource |
aws_db_security_group |
Ensure Codecommit associates an approval rule |
Terraform |
535 |
CKV2_AWS_37 |
resource |
aws_db_snapshot |
Ensure Codecommit associates an approval rule |
Terraform |
536 |
CKV2_AWS_37 |
resource |
aws_db_subnet_group |
Ensure Codecommit associates an approval rule |
Terraform |
537 |
CKV2_AWS_37 |
resource |
aws_default_network_acl |
Ensure Codecommit associates an approval rule |
Terraform |
538 |
CKV2_AWS_37 |
resource |
aws_default_route_table |
Ensure Codecommit associates an approval rule |
Terraform |
539 |
CKV2_AWS_37 |
resource |
aws_default_security_group |
Ensure Codecommit associates an approval rule |
Terraform |
540 |
CKV2_AWS_37 |
resource |
aws_default_subnet |
Ensure Codecommit associates an approval rule |
Terraform |
541 |
CKV2_AWS_37 |
resource |
aws_default_vpc |
Ensure Codecommit associates an approval rule |
Terraform |
542 |
CKV2_AWS_37 |
resource |
aws_default_vpc_dhcp_options |
Ensure Codecommit associates an approval rule |
Terraform |
543 |
CKV2_AWS_37 |
resource |
aws_devicefarm_project |
Ensure Codecommit associates an approval rule |
Terraform |
544 |
CKV2_AWS_37 |
resource |
aws_directory_service_conditional_forwarder |
Ensure Codecommit associates an approval rule |
Terraform |
545 |
CKV2_AWS_37 |
resource |
aws_directory_service_directory |
Ensure Codecommit associates an approval rule |
Terraform |
546 |
CKV2_AWS_37 |
resource |
aws_directory_service_log_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
547 |
CKV2_AWS_37 |
resource |
aws_dlm_lifecycle_policy |
Ensure Codecommit associates an approval rule |
Terraform |
548 |
CKV2_AWS_37 |
resource |
aws_dms_certificate |
Ensure Codecommit associates an approval rule |
Terraform |
549 |
CKV2_AWS_37 |
resource |
aws_dms_endpoint |
Ensure Codecommit associates an approval rule |
Terraform |
550 |
CKV2_AWS_37 |
resource |
aws_dms_event_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
551 |
CKV2_AWS_37 |
resource |
aws_dms_replication_instance |
Ensure Codecommit associates an approval rule |
Terraform |
552 |
CKV2_AWS_37 |
resource |
aws_dms_replication_subnet_group |
Ensure Codecommit associates an approval rule |
Terraform |
553 |
CKV2_AWS_37 |
resource |
aws_dms_replication_task |
Ensure Codecommit associates an approval rule |
Terraform |
554 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
555 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster_instance |
Ensure Codecommit associates an approval rule |
Terraform |
556 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
557 |
CKV2_AWS_37 |
resource |
aws_docdb_cluster_snapshot |
Ensure Codecommit associates an approval rule |
Terraform |
558 |
CKV2_AWS_37 |
resource |
aws_docdb_subnet_group |
Ensure Codecommit associates an approval rule |
Terraform |
559 |
CKV2_AWS_37 |
resource |
aws_dx_bgp_peer |
Ensure Codecommit associates an approval rule |
Terraform |
560 |
CKV2_AWS_37 |
resource |
aws_dx_connection |
Ensure Codecommit associates an approval rule |
Terraform |
561 |
CKV2_AWS_37 |
resource |
aws_dx_connection_association |
Ensure Codecommit associates an approval rule |
Terraform |
562 |
CKV2_AWS_37 |
resource |
aws_dx_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
563 |
CKV2_AWS_37 |
resource |
aws_dx_gateway_association |
Ensure Codecommit associates an approval rule |
Terraform |
564 |
CKV2_AWS_37 |
resource |
aws_dx_gateway_association_proposal |
Ensure Codecommit associates an approval rule |
Terraform |
565 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_private_virtual_interface |
Ensure Codecommit associates an approval rule |
Terraform |
566 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_private_virtual_interface_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
567 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_public_virtual_interface |
Ensure Codecommit associates an approval rule |
Terraform |
568 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_public_virtual_interface_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
569 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_transit_virtual_interface |
Ensure Codecommit associates an approval rule |
Terraform |
570 |
CKV2_AWS_37 |
resource |
aws_dx_hosted_transit_virtual_interface_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
571 |
CKV2_AWS_37 |
resource |
aws_dx_lag |
Ensure Codecommit associates an approval rule |
Terraform |
572 |
CKV2_AWS_37 |
resource |
aws_dx_private_virtual_interface |
Ensure Codecommit associates an approval rule |
Terraform |
573 |
CKV2_AWS_37 |
resource |
aws_dx_public_virtual_interface |
Ensure Codecommit associates an approval rule |
Terraform |
574 |
CKV2_AWS_37 |
resource |
aws_dx_transit_virtual_interface |
Ensure Codecommit associates an approval rule |
Terraform |
575 |
CKV2_AWS_37 |
resource |
aws_dynamodb_global_table |
Ensure Codecommit associates an approval rule |
Terraform |
576 |
CKV2_AWS_37 |
resource |
aws_dynamodb_table |
Ensure Codecommit associates an approval rule |
Terraform |
577 |
CKV2_AWS_37 |
resource |
aws_dynamodb_table_item |
Ensure Codecommit associates an approval rule |
Terraform |
578 |
CKV2_AWS_37 |
resource |
aws_ebs_default_kms_key |
Ensure Codecommit associates an approval rule |
Terraform |
579 |
CKV2_AWS_37 |
resource |
aws_ebs_encryption_by_default |
Ensure Codecommit associates an approval rule |
Terraform |
580 |
CKV2_AWS_37 |
resource |
aws_ebs_snapshot |
Ensure Codecommit associates an approval rule |
Terraform |
581 |
CKV2_AWS_37 |
resource |
aws_ebs_snapshot_copy |
Ensure Codecommit associates an approval rule |
Terraform |
582 |
CKV2_AWS_37 |
resource |
aws_ebs_volume |
Ensure Codecommit associates an approval rule |
Terraform |
583 |
CKV2_AWS_37 |
resource |
aws_ec2_availability_zone_group |
Ensure Codecommit associates an approval rule |
Terraform |
584 |
CKV2_AWS_37 |
resource |
aws_ec2_capacity_reservation |
Ensure Codecommit associates an approval rule |
Terraform |
585 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_authorization_rule |
Ensure Codecommit associates an approval rule |
Terraform |
586 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_endpoint |
Ensure Codecommit associates an approval rule |
Terraform |
587 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_network_association |
Ensure Codecommit associates an approval rule |
Terraform |
588 |
CKV2_AWS_37 |
resource |
aws_ec2_client_vpn_route |
Ensure Codecommit associates an approval rule |
Terraform |
589 |
CKV2_AWS_37 |
resource |
aws_ec2_fleet |
Ensure Codecommit associates an approval rule |
Terraform |
590 |
CKV2_AWS_37 |
resource |
aws_ec2_local_gateway_route |
Ensure Codecommit associates an approval rule |
Terraform |
591 |
CKV2_AWS_37 |
resource |
aws_ec2_local_gateway_route_table_vpc_association |
Ensure Codecommit associates an approval rule |
Terraform |
592 |
CKV2_AWS_37 |
resource |
aws_ec2_tag |
Ensure Codecommit associates an approval rule |
Terraform |
593 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_filter |
Ensure Codecommit associates an approval rule |
Terraform |
594 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_filter_rule |
Ensure Codecommit associates an approval rule |
Terraform |
595 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_session |
Ensure Codecommit associates an approval rule |
Terraform |
596 |
CKV2_AWS_37 |
resource |
aws_ec2_traffic_mirror_target |
Ensure Codecommit associates an approval rule |
Terraform |
597 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
598 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_peering_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
599 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_peering_attachment_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
600 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route |
Ensure Codecommit associates an approval rule |
Terraform |
601 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route_table |
Ensure Codecommit associates an approval rule |
Terraform |
602 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route_table_association |
Ensure Codecommit associates an approval rule |
Terraform |
603 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_route_table_propagation |
Ensure Codecommit associates an approval rule |
Terraform |
604 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_vpc_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
605 |
CKV2_AWS_37 |
resource |
aws_ec2_transit_gateway_vpc_attachment_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
606 |
CKV2_AWS_37 |
resource |
aws_ecr_lifecycle_policy |
Ensure Codecommit associates an approval rule |
Terraform |
607 |
CKV2_AWS_37 |
resource |
aws_ecr_repository |
Ensure Codecommit associates an approval rule |
Terraform |
608 |
CKV2_AWS_37 |
resource |
aws_ecr_repository_policy |
Ensure Codecommit associates an approval rule |
Terraform |
609 |
CKV2_AWS_37 |
resource |
aws_ecs_capacity_provider |
Ensure Codecommit associates an approval rule |
Terraform |
610 |
CKV2_AWS_37 |
resource |
aws_ecs_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
611 |
CKV2_AWS_37 |
resource |
aws_ecs_service |
Ensure Codecommit associates an approval rule |
Terraform |
612 |
CKV2_AWS_37 |
resource |
aws_ecs_task_definition |
Ensure Codecommit associates an approval rule |
Terraform |
613 |
CKV2_AWS_37 |
resource |
aws_efs_access_point |
Ensure Codecommit associates an approval rule |
Terraform |
614 |
CKV2_AWS_37 |
resource |
aws_efs_file_system |
Ensure Codecommit associates an approval rule |
Terraform |
615 |
CKV2_AWS_37 |
resource |
aws_efs_file_system_policy |
Ensure Codecommit associates an approval rule |
Terraform |
616 |
CKV2_AWS_37 |
resource |
aws_efs_mount_target |
Ensure Codecommit associates an approval rule |
Terraform |
617 |
CKV2_AWS_37 |
resource |
aws_egress_only_internet_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
618 |
CKV2_AWS_37 |
resource |
aws_eip |
Ensure Codecommit associates an approval rule |
Terraform |
619 |
CKV2_AWS_37 |
resource |
aws_eip_association |
Ensure Codecommit associates an approval rule |
Terraform |
620 |
CKV2_AWS_37 |
resource |
aws_eks_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
621 |
CKV2_AWS_37 |
resource |
aws_eks_fargate_profile |
Ensure Codecommit associates an approval rule |
Terraform |
622 |
CKV2_AWS_37 |
resource |
aws_eks_node_group |
Ensure Codecommit associates an approval rule |
Terraform |
623 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_application |
Ensure Codecommit associates an approval rule |
Terraform |
624 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_application_version |
Ensure Codecommit associates an approval rule |
Terraform |
625 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_configuration_template |
Ensure Codecommit associates an approval rule |
Terraform |
626 |
CKV2_AWS_37 |
resource |
aws_elastic_beanstalk_environment |
Ensure Codecommit associates an approval rule |
Terraform |
627 |
CKV2_AWS_37 |
resource |
aws_elasticache_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
628 |
CKV2_AWS_37 |
resource |
aws_elasticache_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
629 |
CKV2_AWS_37 |
resource |
aws_elasticache_replication_group |
Ensure Codecommit associates an approval rule |
Terraform |
630 |
CKV2_AWS_37 |
resource |
aws_elasticache_security_group |
Ensure Codecommit associates an approval rule |
Terraform |
631 |
CKV2_AWS_37 |
resource |
aws_elasticache_subnet_group |
Ensure Codecommit associates an approval rule |
Terraform |
632 |
CKV2_AWS_37 |
resource |
aws_elasticsearch_domain |
Ensure Codecommit associates an approval rule |
Terraform |
633 |
CKV2_AWS_37 |
resource |
aws_elasticsearch_domain_policy |
Ensure Codecommit associates an approval rule |
Terraform |
634 |
CKV2_AWS_37 |
resource |
aws_elastictranscoder_pipeline |
Ensure Codecommit associates an approval rule |
Terraform |
635 |
CKV2_AWS_37 |
resource |
aws_elastictranscoder_preset |
Ensure Codecommit associates an approval rule |
Terraform |
636 |
CKV2_AWS_37 |
resource |
aws_elb |
Ensure Codecommit associates an approval rule |
Terraform |
637 |
CKV2_AWS_37 |
resource |
aws_elb_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
638 |
CKV2_AWS_37 |
resource |
aws_emr_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
639 |
CKV2_AWS_37 |
resource |
aws_emr_instance_group |
Ensure Codecommit associates an approval rule |
Terraform |
640 |
CKV2_AWS_37 |
resource |
aws_emr_security_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
641 |
CKV2_AWS_37 |
resource |
aws_flow_log |
Ensure Codecommit associates an approval rule |
Terraform |
642 |
CKV2_AWS_37 |
resource |
aws_fms_admin_account |
Ensure Codecommit associates an approval rule |
Terraform |
643 |
CKV2_AWS_37 |
resource |
aws_fsx_lustre_file_system |
Ensure Codecommit associates an approval rule |
Terraform |
644 |
CKV2_AWS_37 |
resource |
aws_fsx_windows_file_system |
Ensure Codecommit associates an approval rule |
Terraform |
645 |
CKV2_AWS_37 |
resource |
aws_gamelift_alias |
Ensure Codecommit associates an approval rule |
Terraform |
646 |
CKV2_AWS_37 |
resource |
aws_gamelift_build |
Ensure Codecommit associates an approval rule |
Terraform |
647 |
CKV2_AWS_37 |
resource |
aws_gamelift_fleet |
Ensure Codecommit associates an approval rule |
Terraform |
648 |
CKV2_AWS_37 |
resource |
aws_gamelift_game_session_queue |
Ensure Codecommit associates an approval rule |
Terraform |
649 |
CKV2_AWS_37 |
resource |
aws_glacier_vault |
Ensure Codecommit associates an approval rule |
Terraform |
650 |
CKV2_AWS_37 |
resource |
aws_glacier_vault_lock |
Ensure Codecommit associates an approval rule |
Terraform |
651 |
CKV2_AWS_37 |
resource |
aws_globalaccelerator_accelerator |
Ensure Codecommit associates an approval rule |
Terraform |
652 |
CKV2_AWS_37 |
resource |
aws_globalaccelerator_endpoint_group |
Ensure Codecommit associates an approval rule |
Terraform |
653 |
CKV2_AWS_37 |
resource |
aws_globalaccelerator_listener |
Ensure Codecommit associates an approval rule |
Terraform |
654 |
CKV2_AWS_37 |
resource |
aws_glue_catalog_database |
Ensure Codecommit associates an approval rule |
Terraform |
655 |
CKV2_AWS_37 |
resource |
aws_glue_catalog_table |
Ensure Codecommit associates an approval rule |
Terraform |
656 |
CKV2_AWS_37 |
resource |
aws_glue_classifier |
Ensure Codecommit associates an approval rule |
Terraform |
657 |
CKV2_AWS_37 |
resource |
aws_glue_connection |
Ensure Codecommit associates an approval rule |
Terraform |
658 |
CKV2_AWS_37 |
resource |
aws_glue_crawler |
Ensure Codecommit associates an approval rule |
Terraform |
659 |
CKV2_AWS_37 |
resource |
aws_glue_job |
Ensure Codecommit associates an approval rule |
Terraform |
660 |
CKV2_AWS_37 |
resource |
aws_glue_security_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
661 |
CKV2_AWS_37 |
resource |
aws_glue_trigger |
Ensure Codecommit associates an approval rule |
Terraform |
662 |
CKV2_AWS_37 |
resource |
aws_glue_workflow |
Ensure Codecommit associates an approval rule |
Terraform |
663 |
CKV2_AWS_37 |
resource |
aws_guardduty_detector |
Ensure Codecommit associates an approval rule |
Terraform |
664 |
CKV2_AWS_37 |
resource |
aws_guardduty_invite_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
665 |
CKV2_AWS_37 |
resource |
aws_guardduty_ipset |
Ensure Codecommit associates an approval rule |
Terraform |
666 |
CKV2_AWS_37 |
resource |
aws_guardduty_member |
Ensure Codecommit associates an approval rule |
Terraform |
667 |
CKV2_AWS_37 |
resource |
aws_guardduty_organization_admin_account |
Ensure Codecommit associates an approval rule |
Terraform |
668 |
CKV2_AWS_37 |
resource |
aws_guardduty_organization_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
669 |
CKV2_AWS_37 |
resource |
aws_guardduty_threatintelset |
Ensure Codecommit associates an approval rule |
Terraform |
670 |
CKV2_AWS_37 |
resource |
aws_iam_access_key |
Ensure Codecommit associates an approval rule |
Terraform |
671 |
CKV2_AWS_37 |
resource |
aws_iam_account_alias |
Ensure Codecommit associates an approval rule |
Terraform |
672 |
CKV2_AWS_37 |
resource |
aws_iam_account_password_policy |
Ensure Codecommit associates an approval rule |
Terraform |
673 |
CKV2_AWS_37 |
resource |
aws_iam_group |
Ensure Codecommit associates an approval rule |
Terraform |
674 |
CKV2_AWS_37 |
resource |
aws_iam_group_membership |
Ensure Codecommit associates an approval rule |
Terraform |
675 |
CKV2_AWS_37 |
resource |
aws_iam_group_policy |
Ensure Codecommit associates an approval rule |
Terraform |
676 |
CKV2_AWS_37 |
resource |
aws_iam_group_policy_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
677 |
CKV2_AWS_37 |
resource |
aws_iam_instance_profile |
Ensure Codecommit associates an approval rule |
Terraform |
678 |
CKV2_AWS_37 |
resource |
aws_iam_openid_connect_provider |
Ensure Codecommit associates an approval rule |
Terraform |
679 |
CKV2_AWS_37 |
resource |
aws_iam_policy |
Ensure Codecommit associates an approval rule |
Terraform |
680 |
CKV2_AWS_37 |
resource |
aws_iam_policy_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
681 |
CKV2_AWS_37 |
resource |
aws_iam_policy_document |
Ensure Codecommit associates an approval rule |
Terraform |
682 |
CKV2_AWS_37 |
resource |
aws_iam_role |
Ensure Codecommit associates an approval rule |
Terraform |
683 |
CKV2_AWS_37 |
resource |
aws_iam_role_policy |
Ensure Codecommit associates an approval rule |
Terraform |
684 |
CKV2_AWS_37 |
resource |
aws_iam_role_policy_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
685 |
CKV2_AWS_37 |
resource |
aws_iam_saml_provider |
Ensure Codecommit associates an approval rule |
Terraform |
686 |
CKV2_AWS_37 |
resource |
aws_iam_server_certificate |
Ensure Codecommit associates an approval rule |
Terraform |
687 |
CKV2_AWS_37 |
resource |
aws_iam_service_linked_role |
Ensure Codecommit associates an approval rule |
Terraform |
688 |
CKV2_AWS_37 |
resource |
aws_iam_user |
Ensure Codecommit associates an approval rule |
Terraform |
689 |
CKV2_AWS_37 |
resource |
aws_iam_user_group_membership |
Ensure Codecommit associates an approval rule |
Terraform |
690 |
CKV2_AWS_37 |
resource |
aws_iam_user_login_profile |
Ensure Codecommit associates an approval rule |
Terraform |
691 |
CKV2_AWS_37 |
resource |
aws_iam_user_policy |
Ensure Codecommit associates an approval rule |
Terraform |
692 |
CKV2_AWS_37 |
resource |
aws_iam_user_policy_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
693 |
CKV2_AWS_37 |
resource |
aws_iam_user_ssh_key |
Ensure Codecommit associates an approval rule |
Terraform |
694 |
CKV2_AWS_37 |
resource |
aws_inspector_assessment_target |
Ensure Codecommit associates an approval rule |
Terraform |
695 |
CKV2_AWS_37 |
resource |
aws_inspector_assessment_template |
Ensure Codecommit associates an approval rule |
Terraform |
696 |
CKV2_AWS_37 |
resource |
aws_inspector_resource_group |
Ensure Codecommit associates an approval rule |
Terraform |
697 |
CKV2_AWS_37 |
resource |
aws_instance |
Ensure Codecommit associates an approval rule |
Terraform |
698 |
CKV2_AWS_37 |
resource |
aws_internet_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
699 |
CKV2_AWS_37 |
resource |
aws_iot_certificate |
Ensure Codecommit associates an approval rule |
Terraform |
700 |
CKV2_AWS_37 |
resource |
aws_iot_policy |
Ensure Codecommit associates an approval rule |
Terraform |
701 |
CKV2_AWS_37 |
resource |
aws_iot_policy_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
702 |
CKV2_AWS_37 |
resource |
aws_iot_role_alias |
Ensure Codecommit associates an approval rule |
Terraform |
703 |
CKV2_AWS_37 |
resource |
aws_iot_thing |
Ensure Codecommit associates an approval rule |
Terraform |
704 |
CKV2_AWS_37 |
resource |
aws_iot_thing_principal_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
705 |
CKV2_AWS_37 |
resource |
aws_iot_thing_type |
Ensure Codecommit associates an approval rule |
Terraform |
706 |
CKV2_AWS_37 |
resource |
aws_iot_topic_rule |
Ensure Codecommit associates an approval rule |
Terraform |
707 |
CKV2_AWS_37 |
resource |
aws_key_pair |
Ensure Codecommit associates an approval rule |
Terraform |
708 |
CKV2_AWS_37 |
resource |
aws_kinesis_analytics_application |
Ensure Codecommit associates an approval rule |
Terraform |
709 |
CKV2_AWS_37 |
resource |
aws_kinesis_firehose_delivery_stream |
Ensure Codecommit associates an approval rule |
Terraform |
710 |
CKV2_AWS_37 |
resource |
aws_kinesis_stream |
Ensure Codecommit associates an approval rule |
Terraform |
711 |
CKV2_AWS_37 |
resource |
aws_kinesis_video_stream |
Ensure Codecommit associates an approval rule |
Terraform |
712 |
CKV2_AWS_37 |
resource |
aws_kms_alias |
Ensure Codecommit associates an approval rule |
Terraform |
713 |
CKV2_AWS_37 |
resource |
aws_kms_ciphertext |
Ensure Codecommit associates an approval rule |
Terraform |
714 |
CKV2_AWS_37 |
resource |
aws_kms_external_key |
Ensure Codecommit associates an approval rule |
Terraform |
715 |
CKV2_AWS_37 |
resource |
aws_kms_grant |
Ensure Codecommit associates an approval rule |
Terraform |
716 |
CKV2_AWS_37 |
resource |
aws_kms_key |
Ensure Codecommit associates an approval rule |
Terraform |
717 |
CKV2_AWS_37 |
resource |
aws_lambda_alias |
Ensure Codecommit associates an approval rule |
Terraform |
718 |
CKV2_AWS_37 |
resource |
aws_lambda_event_source_mapping |
Ensure Codecommit associates an approval rule |
Terraform |
719 |
CKV2_AWS_37 |
resource |
aws_lambda_function |
Ensure Codecommit associates an approval rule |
Terraform |
720 |
CKV2_AWS_37 |
resource |
aws_lambda_function_event_invoke_config |
Ensure Codecommit associates an approval rule |
Terraform |
721 |
CKV2_AWS_37 |
resource |
aws_lambda_layer_version |
Ensure Codecommit associates an approval rule |
Terraform |
722 |
CKV2_AWS_37 |
resource |
aws_lambda_permission |
Ensure Codecommit associates an approval rule |
Terraform |
723 |
CKV2_AWS_37 |
resource |
aws_lambda_provisioned_concurrency_config |
Ensure Codecommit associates an approval rule |
Terraform |
724 |
CKV2_AWS_37 |
resource |
aws_launch_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
725 |
CKV2_AWS_37 |
resource |
aws_launch_template |
Ensure Codecommit associates an approval rule |
Terraform |
726 |
CKV2_AWS_37 |
resource |
aws_lb |
Ensure Codecommit associates an approval rule |
Terraform |
727 |
CKV2_AWS_37 |
resource |
aws_lb_cookie_stickiness_policy |
Ensure Codecommit associates an approval rule |
Terraform |
728 |
CKV2_AWS_37 |
resource |
aws_lb_listener |
Ensure Codecommit associates an approval rule |
Terraform |
729 |
CKV2_AWS_37 |
resource |
aws_lb_listener_certificate |
Ensure Codecommit associates an approval rule |
Terraform |
730 |
CKV2_AWS_37 |
resource |
aws_lb_listener_rule |
Ensure Codecommit associates an approval rule |
Terraform |
731 |
CKV2_AWS_37 |
resource |
aws_lb_ssl_negotiation_policy |
Ensure Codecommit associates an approval rule |
Terraform |
732 |
CKV2_AWS_37 |
resource |
aws_lb_target_group |
Ensure Codecommit associates an approval rule |
Terraform |
733 |
CKV2_AWS_37 |
resource |
aws_lb_target_group_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
734 |
CKV2_AWS_37 |
resource |
aws_licensemanager_association |
Ensure Codecommit associates an approval rule |
Terraform |
735 |
CKV2_AWS_37 |
resource |
aws_licensemanager_license_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
736 |
CKV2_AWS_37 |
resource |
aws_lightsail_domain |
Ensure Codecommit associates an approval rule |
Terraform |
737 |
CKV2_AWS_37 |
resource |
aws_lightsail_instance |
Ensure Codecommit associates an approval rule |
Terraform |
738 |
CKV2_AWS_37 |
resource |
aws_lightsail_key_pair |
Ensure Codecommit associates an approval rule |
Terraform |
739 |
CKV2_AWS_37 |
resource |
aws_lightsail_static_ip |
Ensure Codecommit associates an approval rule |
Terraform |
740 |
CKV2_AWS_37 |
resource |
aws_lightsail_static_ip_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
741 |
CKV2_AWS_37 |
resource |
aws_load_balancer_backend_server_policy |
Ensure Codecommit associates an approval rule |
Terraform |
742 |
CKV2_AWS_37 |
resource |
aws_load_balancer_listener_policy |
Ensure Codecommit associates an approval rule |
Terraform |
743 |
CKV2_AWS_37 |
resource |
aws_load_balancer_policy |
Ensure Codecommit associates an approval rule |
Terraform |
744 |
CKV2_AWS_37 |
resource |
aws_macie_member_account_association |
Ensure Codecommit associates an approval rule |
Terraform |
745 |
CKV2_AWS_37 |
resource |
aws_macie_s3_bucket_association |
Ensure Codecommit associates an approval rule |
Terraform |
746 |
CKV2_AWS_37 |
resource |
aws_main_route_table_association |
Ensure Codecommit associates an approval rule |
Terraform |
747 |
CKV2_AWS_37 |
resource |
aws_media_convert_queue |
Ensure Codecommit associates an approval rule |
Terraform |
748 |
CKV2_AWS_37 |
resource |
aws_media_package_channel |
Ensure Codecommit associates an approval rule |
Terraform |
749 |
CKV2_AWS_37 |
resource |
aws_media_store_container |
Ensure Codecommit associates an approval rule |
Terraform |
750 |
CKV2_AWS_37 |
resource |
aws_media_store_container_policy |
Ensure Codecommit associates an approval rule |
Terraform |
751 |
CKV2_AWS_37 |
resource |
aws_mq_broker |
Ensure Codecommit associates an approval rule |
Terraform |
752 |
CKV2_AWS_37 |
resource |
aws_mq_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
753 |
CKV2_AWS_37 |
resource |
aws_msk_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
754 |
CKV2_AWS_37 |
resource |
aws_msk_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
755 |
CKV2_AWS_37 |
resource |
aws_nat_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
756 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
757 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster_instance |
Ensure Codecommit associates an approval rule |
Terraform |
758 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
759 |
CKV2_AWS_37 |
resource |
aws_neptune_cluster_snapshot |
Ensure Codecommit associates an approval rule |
Terraform |
760 |
CKV2_AWS_37 |
resource |
aws_neptune_event_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
761 |
CKV2_AWS_37 |
resource |
aws_neptune_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
762 |
CKV2_AWS_37 |
resource |
aws_neptune_subnet_group |
Ensure Codecommit associates an approval rule |
Terraform |
763 |
CKV2_AWS_37 |
resource |
aws_network_acl |
Ensure Codecommit associates an approval rule |
Terraform |
764 |
CKV2_AWS_37 |
resource |
aws_network_acl_rule |
Ensure Codecommit associates an approval rule |
Terraform |
765 |
CKV2_AWS_37 |
resource |
aws_network_interface |
Ensure Codecommit associates an approval rule |
Terraform |
766 |
CKV2_AWS_37 |
resource |
aws_network_interface_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
767 |
CKV2_AWS_37 |
resource |
aws_network_interface_sg_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
768 |
CKV2_AWS_37 |
resource |
aws_opsworks_application |
Ensure Codecommit associates an approval rule |
Terraform |
769 |
CKV2_AWS_37 |
resource |
aws_opsworks_custom_layer |
Ensure Codecommit associates an approval rule |
Terraform |
770 |
CKV2_AWS_37 |
resource |
aws_opsworks_ganglia_layer |
Ensure Codecommit associates an approval rule |
Terraform |
771 |
CKV2_AWS_37 |
resource |
aws_opsworks_haproxy_layer |
Ensure Codecommit associates an approval rule |
Terraform |
772 |
CKV2_AWS_37 |
resource |
aws_opsworks_instance |
Ensure Codecommit associates an approval rule |
Terraform |
773 |
CKV2_AWS_37 |
resource |
aws_opsworks_java_app_layer |
Ensure Codecommit associates an approval rule |
Terraform |
774 |
CKV2_AWS_37 |
resource |
aws_opsworks_memcached_layer |
Ensure Codecommit associates an approval rule |
Terraform |
775 |
CKV2_AWS_37 |
resource |
aws_opsworks_mysql_layer |
Ensure Codecommit associates an approval rule |
Terraform |
776 |
CKV2_AWS_37 |
resource |
aws_opsworks_nodejs_app_layer |
Ensure Codecommit associates an approval rule |
Terraform |
777 |
CKV2_AWS_37 |
resource |
aws_opsworks_permission |
Ensure Codecommit associates an approval rule |
Terraform |
778 |
CKV2_AWS_37 |
resource |
aws_opsworks_php_app_layer |
Ensure Codecommit associates an approval rule |
Terraform |
779 |
CKV2_AWS_37 |
resource |
aws_opsworks_rails_app_layer |
Ensure Codecommit associates an approval rule |
Terraform |
780 |
CKV2_AWS_37 |
resource |
aws_opsworks_rds_db_instance |
Ensure Codecommit associates an approval rule |
Terraform |
781 |
CKV2_AWS_37 |
resource |
aws_opsworks_stack |
Ensure Codecommit associates an approval rule |
Terraform |
782 |
CKV2_AWS_37 |
resource |
aws_opsworks_static_web_layer |
Ensure Codecommit associates an approval rule |
Terraform |
783 |
CKV2_AWS_37 |
resource |
aws_opsworks_user_profile |
Ensure Codecommit associates an approval rule |
Terraform |
784 |
CKV2_AWS_37 |
resource |
aws_organizations_account |
Ensure Codecommit associates an approval rule |
Terraform |
785 |
CKV2_AWS_37 |
resource |
aws_organizations_organization |
Ensure Codecommit associates an approval rule |
Terraform |
786 |
CKV2_AWS_37 |
resource |
aws_organizations_organizational_unit |
Ensure Codecommit associates an approval rule |
Terraform |
787 |
CKV2_AWS_37 |
resource |
aws_organizations_policy |
Ensure Codecommit associates an approval rule |
Terraform |
788 |
CKV2_AWS_37 |
resource |
aws_organizations_policy_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
789 |
CKV2_AWS_37 |
resource |
aws_pinpoint_adm_channel |
Ensure Codecommit associates an approval rule |
Terraform |
790 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_channel |
Ensure Codecommit associates an approval rule |
Terraform |
791 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_sandbox_channel |
Ensure Codecommit associates an approval rule |
Terraform |
792 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_voip_channel |
Ensure Codecommit associates an approval rule |
Terraform |
793 |
CKV2_AWS_37 |
resource |
aws_pinpoint_apns_voip_sandbox_channel |
Ensure Codecommit associates an approval rule |
Terraform |
794 |
CKV2_AWS_37 |
resource |
aws_pinpoint_app |
Ensure Codecommit associates an approval rule |
Terraform |
795 |
CKV2_AWS_37 |
resource |
aws_pinpoint_baidu_channel |
Ensure Codecommit associates an approval rule |
Terraform |
796 |
CKV2_AWS_37 |
resource |
aws_pinpoint_email_channel |
Ensure Codecommit associates an approval rule |
Terraform |
797 |
CKV2_AWS_37 |
resource |
aws_pinpoint_event_stream |
Ensure Codecommit associates an approval rule |
Terraform |
798 |
CKV2_AWS_37 |
resource |
aws_pinpoint_gcm_channel |
Ensure Codecommit associates an approval rule |
Terraform |
799 |
CKV2_AWS_37 |
resource |
aws_pinpoint_sms_channel |
Ensure Codecommit associates an approval rule |
Terraform |
800 |
CKV2_AWS_37 |
resource |
aws_placement_group |
Ensure Codecommit associates an approval rule |
Terraform |
801 |
CKV2_AWS_37 |
resource |
aws_proxy_protocol_policy |
Ensure Codecommit associates an approval rule |
Terraform |
802 |
CKV2_AWS_37 |
resource |
aws_qldb_ledger |
Ensure Codecommit associates an approval rule |
Terraform |
803 |
CKV2_AWS_37 |
resource |
aws_quicksight_group |
Ensure Codecommit associates an approval rule |
Terraform |
804 |
CKV2_AWS_37 |
resource |
aws_quicksight_user |
Ensure Codecommit associates an approval rule |
Terraform |
805 |
CKV2_AWS_37 |
resource |
aws_ram_principal_association |
Ensure Codecommit associates an approval rule |
Terraform |
806 |
CKV2_AWS_37 |
resource |
aws_ram_resource_association |
Ensure Codecommit associates an approval rule |
Terraform |
807 |
CKV2_AWS_37 |
resource |
aws_ram_resource_share |
Ensure Codecommit associates an approval rule |
Terraform |
808 |
CKV2_AWS_37 |
resource |
aws_ram_resource_share_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
809 |
CKV2_AWS_37 |
resource |
aws_rds_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
810 |
CKV2_AWS_37 |
resource |
aws_rds_cluster_endpoint |
Ensure Codecommit associates an approval rule |
Terraform |
811 |
CKV2_AWS_37 |
resource |
aws_rds_cluster_instance |
Ensure Codecommit associates an approval rule |
Terraform |
812 |
CKV2_AWS_37 |
resource |
aws_rds_cluster_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
813 |
CKV2_AWS_37 |
resource |
aws_rds_global_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
814 |
CKV2_AWS_37 |
resource |
aws_redshift_cluster |
Ensure Codecommit associates an approval rule |
Terraform |
815 |
CKV2_AWS_37 |
resource |
aws_redshift_event_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
816 |
CKV2_AWS_37 |
resource |
aws_redshift_parameter_group |
Ensure Codecommit associates an approval rule |
Terraform |
817 |
CKV2_AWS_37 |
resource |
aws_redshift_security_group |
Ensure Codecommit associates an approval rule |
Terraform |
818 |
CKV2_AWS_37 |
resource |
aws_redshift_snapshot_copy_grant |
Ensure Codecommit associates an approval rule |
Terraform |
819 |
CKV2_AWS_37 |
resource |
aws_redshift_snapshot_schedule |
Ensure Codecommit associates an approval rule |
Terraform |
820 |
CKV2_AWS_37 |
resource |
aws_redshift_snapshot_schedule_association |
Ensure Codecommit associates an approval rule |
Terraform |
821 |
CKV2_AWS_37 |
resource |
aws_redshift_subnet_group |
Ensure Codecommit associates an approval rule |
Terraform |
822 |
CKV2_AWS_37 |
resource |
aws_resourcegroups_group |
Ensure Codecommit associates an approval rule |
Terraform |
823 |
CKV2_AWS_37 |
resource |
aws_root |
Ensure Codecommit associates an approval rule |
Terraform |
824 |
CKV2_AWS_37 |
resource |
aws_root_access_key |
Ensure Codecommit associates an approval rule |
Terraform |
825 |
CKV2_AWS_37 |
resource |
aws_route |
Ensure Codecommit associates an approval rule |
Terraform |
826 |
CKV2_AWS_37 |
resource |
aws_route53_delegation_set |
Ensure Codecommit associates an approval rule |
Terraform |
827 |
CKV2_AWS_37 |
resource |
aws_route53_health_check |
Ensure Codecommit associates an approval rule |
Terraform |
828 |
CKV2_AWS_37 |
resource |
aws_route53_query_log |
Ensure Codecommit associates an approval rule |
Terraform |
829 |
CKV2_AWS_37 |
resource |
aws_route53_record |
Ensure Codecommit associates an approval rule |
Terraform |
830 |
CKV2_AWS_37 |
resource |
aws_route53_resolver_endpoint |
Ensure Codecommit associates an approval rule |
Terraform |
831 |
CKV2_AWS_37 |
resource |
aws_route53_resolver_rule |
Ensure Codecommit associates an approval rule |
Terraform |
832 |
CKV2_AWS_37 |
resource |
aws_route53_resolver_rule_association |
Ensure Codecommit associates an approval rule |
Terraform |
833 |
CKV2_AWS_37 |
resource |
aws_route53_vpc_association_authorization |
Ensure Codecommit associates an approval rule |
Terraform |
834 |
CKV2_AWS_37 |
resource |
aws_route53_zone |
Ensure Codecommit associates an approval rule |
Terraform |
835 |
CKV2_AWS_37 |
resource |
aws_route53_zone_association |
Ensure Codecommit associates an approval rule |
Terraform |
836 |
CKV2_AWS_37 |
resource |
aws_route_table |
Ensure Codecommit associates an approval rule |
Terraform |
837 |
CKV2_AWS_37 |
resource |
aws_route_table_association |
Ensure Codecommit associates an approval rule |
Terraform |
838 |
CKV2_AWS_37 |
resource |
aws_s3_access_point |
Ensure Codecommit associates an approval rule |
Terraform |
839 |
CKV2_AWS_37 |
resource |
aws_s3_account_public_access_block |
Ensure Codecommit associates an approval rule |
Terraform |
840 |
CKV2_AWS_37 |
resource |
aws_s3_bucket |
Ensure Codecommit associates an approval rule |
Terraform |
841 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_analytics_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
842 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_inventory |
Ensure Codecommit associates an approval rule |
Terraform |
843 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_metric |
Ensure Codecommit associates an approval rule |
Terraform |
844 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_notification |
Ensure Codecommit associates an approval rule |
Terraform |
845 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_object |
Ensure Codecommit associates an approval rule |
Terraform |
846 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_policy |
Ensure Codecommit associates an approval rule |
Terraform |
847 |
CKV2_AWS_37 |
resource |
aws_s3_bucket_public_access_block |
Ensure Codecommit associates an approval rule |
Terraform |
848 |
CKV2_AWS_37 |
resource |
aws_sagemaker_endpoint |
Ensure Codecommit associates an approval rule |
Terraform |
849 |
CKV2_AWS_37 |
resource |
aws_sagemaker_endpoint_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
850 |
CKV2_AWS_37 |
resource |
aws_sagemaker_model |
Ensure Codecommit associates an approval rule |
Terraform |
851 |
CKV2_AWS_37 |
resource |
aws_sagemaker_notebook_instance |
Ensure Codecommit associates an approval rule |
Terraform |
852 |
CKV2_AWS_37 |
resource |
aws_sagemaker_notebook_instance_lifecycle_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
853 |
CKV2_AWS_37 |
resource |
aws_secretsmanager_secret |
Ensure Codecommit associates an approval rule |
Terraform |
854 |
CKV2_AWS_37 |
resource |
aws_secretsmanager_secret_rotation |
Ensure Codecommit associates an approval rule |
Terraform |
855 |
CKV2_AWS_37 |
resource |
aws_secretsmanager_secret_version |
Ensure Codecommit associates an approval rule |
Terraform |
856 |
CKV2_AWS_37 |
resource |
aws_security_group |
Ensure Codecommit associates an approval rule |
Terraform |
857 |
CKV2_AWS_37 |
resource |
aws_security_group_rule |
Ensure Codecommit associates an approval rule |
Terraform |
858 |
CKV2_AWS_37 |
resource |
aws_securityhub_account |
Ensure Codecommit associates an approval rule |
Terraform |
859 |
CKV2_AWS_37 |
resource |
aws_securityhub_member |
Ensure Codecommit associates an approval rule |
Terraform |
860 |
CKV2_AWS_37 |
resource |
aws_securityhub_product_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
861 |
CKV2_AWS_37 |
resource |
aws_securityhub_standards_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
862 |
CKV2_AWS_37 |
resource |
aws_service_discovery_http_namespace |
Ensure Codecommit associates an approval rule |
Terraform |
863 |
CKV2_AWS_37 |
resource |
aws_service_discovery_private_dns_namespace |
Ensure Codecommit associates an approval rule |
Terraform |
864 |
CKV2_AWS_37 |
resource |
aws_service_discovery_public_dns_namespace |
Ensure Codecommit associates an approval rule |
Terraform |
865 |
CKV2_AWS_37 |
resource |
aws_service_discovery_service |
Ensure Codecommit associates an approval rule |
Terraform |
866 |
CKV2_AWS_37 |
resource |
aws_servicecatalog_portfolio |
Ensure Codecommit associates an approval rule |
Terraform |
867 |
CKV2_AWS_37 |
resource |
aws_servicequotas_service_quota |
Ensure Codecommit associates an approval rule |
Terraform |
868 |
CKV2_AWS_37 |
resource |
aws_ses_active_receipt_rule_set |
Ensure Codecommit associates an approval rule |
Terraform |
869 |
CKV2_AWS_37 |
resource |
aws_ses_configuration_set |
Ensure Codecommit associates an approval rule |
Terraform |
870 |
CKV2_AWS_37 |
resource |
aws_ses_domain_dkim |
Ensure Codecommit associates an approval rule |
Terraform |
871 |
CKV2_AWS_37 |
resource |
aws_ses_domain_identity |
Ensure Codecommit associates an approval rule |
Terraform |
872 |
CKV2_AWS_37 |
resource |
aws_ses_domain_identity_verification |
Ensure Codecommit associates an approval rule |
Terraform |
873 |
CKV2_AWS_37 |
resource |
aws_ses_domain_mail_from |
Ensure Codecommit associates an approval rule |
Terraform |
874 |
CKV2_AWS_37 |
resource |
aws_ses_email_identity |
Ensure Codecommit associates an approval rule |
Terraform |
875 |
CKV2_AWS_37 |
resource |
aws_ses_event_destination |
Ensure Codecommit associates an approval rule |
Terraform |
876 |
CKV2_AWS_37 |
resource |
aws_ses_identity_notification_topic |
Ensure Codecommit associates an approval rule |
Terraform |
877 |
CKV2_AWS_37 |
resource |
aws_ses_identity_policy |
Ensure Codecommit associates an approval rule |
Terraform |
878 |
CKV2_AWS_37 |
resource |
aws_ses_receipt_filter |
Ensure Codecommit associates an approval rule |
Terraform |
879 |
CKV2_AWS_37 |
resource |
aws_ses_receipt_rule |
Ensure Codecommit associates an approval rule |
Terraform |
880 |
CKV2_AWS_37 |
resource |
aws_ses_receipt_rule_set |
Ensure Codecommit associates an approval rule |
Terraform |
881 |
CKV2_AWS_37 |
resource |
aws_ses_template |
Ensure Codecommit associates an approval rule |
Terraform |
882 |
CKV2_AWS_37 |
resource |
aws_sfn_activity |
Ensure Codecommit associates an approval rule |
Terraform |
883 |
CKV2_AWS_37 |
resource |
aws_sfn_state_machine |
Ensure Codecommit associates an approval rule |
Terraform |
884 |
CKV2_AWS_37 |
resource |
aws_shield_protection |
Ensure Codecommit associates an approval rule |
Terraform |
885 |
CKV2_AWS_37 |
resource |
aws_simpledb_domain |
Ensure Codecommit associates an approval rule |
Terraform |
886 |
CKV2_AWS_37 |
resource |
aws_snapshot_create_volume_permission |
Ensure Codecommit associates an approval rule |
Terraform |
887 |
CKV2_AWS_37 |
resource |
aws_sns_platform_application |
Ensure Codecommit associates an approval rule |
Terraform |
888 |
CKV2_AWS_37 |
resource |
aws_sns_sms_preferences |
Ensure Codecommit associates an approval rule |
Terraform |
889 |
CKV2_AWS_37 |
resource |
aws_sns_topic |
Ensure Codecommit associates an approval rule |
Terraform |
890 |
CKV2_AWS_37 |
resource |
aws_sns_topic_policy |
Ensure Codecommit associates an approval rule |
Terraform |
891 |
CKV2_AWS_37 |
resource |
aws_sns_topic_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
892 |
CKV2_AWS_37 |
resource |
aws_spot_datafeed_subscription |
Ensure Codecommit associates an approval rule |
Terraform |
893 |
CKV2_AWS_37 |
resource |
aws_spot_fleet_request |
Ensure Codecommit associates an approval rule |
Terraform |
894 |
CKV2_AWS_37 |
resource |
aws_spot_instance_request |
Ensure Codecommit associates an approval rule |
Terraform |
895 |
CKV2_AWS_37 |
resource |
aws_sqs_queue |
Ensure Codecommit associates an approval rule |
Terraform |
896 |
CKV2_AWS_37 |
resource |
aws_sqs_queue_policy |
Ensure Codecommit associates an approval rule |
Terraform |
897 |
CKV2_AWS_37 |
resource |
aws_ssm_activation |
Ensure Codecommit associates an approval rule |
Terraform |
898 |
CKV2_AWS_37 |
resource |
aws_ssm_association |
Ensure Codecommit associates an approval rule |
Terraform |
899 |
CKV2_AWS_37 |
resource |
aws_ssm_document |
Ensure Codecommit associates an approval rule |
Terraform |
900 |
CKV2_AWS_37 |
resource |
aws_ssm_maintenance_window |
Ensure Codecommit associates an approval rule |
Terraform |
901 |
CKV2_AWS_37 |
resource |
aws_ssm_maintenance_window_target |
Ensure Codecommit associates an approval rule |
Terraform |
902 |
CKV2_AWS_37 |
resource |
aws_ssm_maintenance_window_task |
Ensure Codecommit associates an approval rule |
Terraform |
903 |
CKV2_AWS_37 |
resource |
aws_ssm_parameter |
Ensure Codecommit associates an approval rule |
Terraform |
904 |
CKV2_AWS_37 |
resource |
aws_ssm_patch_baseline |
Ensure Codecommit associates an approval rule |
Terraform |
905 |
CKV2_AWS_37 |
resource |
aws_ssm_patch_group |
Ensure Codecommit associates an approval rule |
Terraform |
906 |
CKV2_AWS_37 |
resource |
aws_ssm_resource_data_sync |
Ensure Codecommit associates an approval rule |
Terraform |
907 |
CKV2_AWS_37 |
resource |
aws_storagegateway_cache |
Ensure Codecommit associates an approval rule |
Terraform |
908 |
CKV2_AWS_37 |
resource |
aws_storagegateway_cached_iscsi_volume |
Ensure Codecommit associates an approval rule |
Terraform |
909 |
CKV2_AWS_37 |
resource |
aws_storagegateway_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
910 |
CKV2_AWS_37 |
resource |
aws_storagegateway_nfs_file_share |
Ensure Codecommit associates an approval rule |
Terraform |
911 |
CKV2_AWS_37 |
resource |
aws_storagegateway_smb_file_share |
Ensure Codecommit associates an approval rule |
Terraform |
912 |
CKV2_AWS_37 |
resource |
aws_storagegateway_upload_buffer |
Ensure Codecommit associates an approval rule |
Terraform |
913 |
CKV2_AWS_37 |
resource |
aws_storagegateway_working_storage |
Ensure Codecommit associates an approval rule |
Terraform |
914 |
CKV2_AWS_37 |
resource |
aws_subnet |
Ensure Codecommit associates an approval rule |
Terraform |
915 |
CKV2_AWS_37 |
resource |
aws_swf_domain |
Ensure Codecommit associates an approval rule |
Terraform |
916 |
CKV2_AWS_37 |
resource |
aws_transfer_server |
Ensure Codecommit associates an approval rule |
Terraform |
917 |
CKV2_AWS_37 |
resource |
aws_transfer_ssh_key |
Ensure Codecommit associates an approval rule |
Terraform |
918 |
CKV2_AWS_37 |
resource |
aws_transfer_user |
Ensure Codecommit associates an approval rule |
Terraform |
919 |
CKV2_AWS_37 |
resource |
aws_volume_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
920 |
CKV2_AWS_37 |
resource |
aws_vpc |
Ensure Codecommit associates an approval rule |
Terraform |
921 |
CKV2_AWS_37 |
resource |
aws_vpc_dhcp_options |
Ensure Codecommit associates an approval rule |
Terraform |
922 |
CKV2_AWS_37 |
resource |
aws_vpc_dhcp_options_association |
Ensure Codecommit associates an approval rule |
Terraform |
923 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint |
Ensure Codecommit associates an approval rule |
Terraform |
924 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_connection_notification |
Ensure Codecommit associates an approval rule |
Terraform |
925 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_route_table_association |
Ensure Codecommit associates an approval rule |
Terraform |
926 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_service |
Ensure Codecommit associates an approval rule |
Terraform |
927 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_service_allowed_principal |
Ensure Codecommit associates an approval rule |
Terraform |
928 |
CKV2_AWS_37 |
resource |
aws_vpc_endpoint_subnet_association |
Ensure Codecommit associates an approval rule |
Terraform |
929 |
CKV2_AWS_37 |
resource |
aws_vpc_ipv4_cidr_block_association |
Ensure Codecommit associates an approval rule |
Terraform |
930 |
CKV2_AWS_37 |
resource |
aws_vpc_peering_connection |
Ensure Codecommit associates an approval rule |
Terraform |
931 |
CKV2_AWS_37 |
resource |
aws_vpc_peering_connection_accepter |
Ensure Codecommit associates an approval rule |
Terraform |
932 |
CKV2_AWS_37 |
resource |
aws_vpc_peering_connection_options |
Ensure Codecommit associates an approval rule |
Terraform |
933 |
CKV2_AWS_37 |
resource |
aws_vpn_connection |
Ensure Codecommit associates an approval rule |
Terraform |
934 |
CKV2_AWS_37 |
resource |
aws_vpn_connection_route |
Ensure Codecommit associates an approval rule |
Terraform |
935 |
CKV2_AWS_37 |
resource |
aws_vpn_gateway |
Ensure Codecommit associates an approval rule |
Terraform |
936 |
CKV2_AWS_37 |
resource |
aws_vpn_gateway_attachment |
Ensure Codecommit associates an approval rule |
Terraform |
937 |
CKV2_AWS_37 |
resource |
aws_vpn_gateway_route_propagation |
Ensure Codecommit associates an approval rule |
Terraform |
938 |
CKV2_AWS_37 |
resource |
aws_waf_byte_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
939 |
CKV2_AWS_37 |
resource |
aws_waf_geo_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
940 |
CKV2_AWS_37 |
resource |
aws_waf_ipset |
Ensure Codecommit associates an approval rule |
Terraform |
941 |
CKV2_AWS_37 |
resource |
aws_waf_rate_based_rule |
Ensure Codecommit associates an approval rule |
Terraform |
942 |
CKV2_AWS_37 |
resource |
aws_waf_regex_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
943 |
CKV2_AWS_37 |
resource |
aws_waf_regex_pattern_set |
Ensure Codecommit associates an approval rule |
Terraform |
944 |
CKV2_AWS_37 |
resource |
aws_waf_rule |
Ensure Codecommit associates an approval rule |
Terraform |
945 |
CKV2_AWS_37 |
resource |
aws_waf_rule_group |
Ensure Codecommit associates an approval rule |
Terraform |
946 |
CKV2_AWS_37 |
resource |
aws_waf_size_constraint_set |
Ensure Codecommit associates an approval rule |
Terraform |
947 |
CKV2_AWS_37 |
resource |
aws_waf_sql_injection_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
948 |
CKV2_AWS_37 |
resource |
aws_waf_web_acl |
Ensure Codecommit associates an approval rule |
Terraform |
949 |
CKV2_AWS_37 |
resource |
aws_waf_xss_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
950 |
CKV2_AWS_37 |
resource |
aws_wafregional_byte_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
951 |
CKV2_AWS_37 |
resource |
aws_wafregional_geo_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
952 |
CKV2_AWS_37 |
resource |
aws_wafregional_ipset |
Ensure Codecommit associates an approval rule |
Terraform |
953 |
CKV2_AWS_37 |
resource |
aws_wafregional_rate_based_rule |
Ensure Codecommit associates an approval rule |
Terraform |
954 |
CKV2_AWS_37 |
resource |
aws_wafregional_regex_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
955 |
CKV2_AWS_37 |
resource |
aws_wafregional_regex_pattern_set |
Ensure Codecommit associates an approval rule |
Terraform |
956 |
CKV2_AWS_37 |
resource |
aws_wafregional_rule |
Ensure Codecommit associates an approval rule |
Terraform |
957 |
CKV2_AWS_37 |
resource |
aws_wafregional_rule_group |
Ensure Codecommit associates an approval rule |
Terraform |
958 |
CKV2_AWS_37 |
resource |
aws_wafregional_size_constraint_set |
Ensure Codecommit associates an approval rule |
Terraform |
959 |
CKV2_AWS_37 |
resource |
aws_wafregional_sql_injection_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
960 |
CKV2_AWS_37 |
resource |
aws_wafregional_web_acl |
Ensure Codecommit associates an approval rule |
Terraform |
961 |
CKV2_AWS_37 |
resource |
aws_wafregional_web_acl_association |
Ensure Codecommit associates an approval rule |
Terraform |
962 |
CKV2_AWS_37 |
resource |
aws_wafregional_xss_match_set |
Ensure Codecommit associates an approval rule |
Terraform |
963 |
CKV2_AWS_37 |
resource |
aws_wafv2_ip_set |
Ensure Codecommit associates an approval rule |
Terraform |
964 |
CKV2_AWS_37 |
resource |
aws_wafv2_regex_pattern_set |
Ensure Codecommit associates an approval rule |
Terraform |
965 |
CKV2_AWS_37 |
resource |
aws_wafv2_rule_group |
Ensure Codecommit associates an approval rule |
Terraform |
966 |
CKV2_AWS_37 |
resource |
aws_wafv2_web_acl |
Ensure Codecommit associates an approval rule |
Terraform |
967 |
CKV2_AWS_37 |
resource |
aws_wafv2_web_acl_association |
Ensure Codecommit associates an approval rule |
Terraform |
968 |
CKV2_AWS_37 |
resource |
aws_wafv2_web_acl_logging_configuration |
Ensure Codecommit associates an approval rule |
Terraform |
969 |
CKV2_AWS_37 |
resource |
aws_worklink_fleet |
Ensure Codecommit associates an approval rule |
Terraform |
970 |
CKV2_AWS_37 |
resource |
aws_worklink_website_certificate_authority_association |
Ensure Codecommit associates an approval rule |
Terraform |
971 |
CKV2_AWS_37 |
resource |
aws_workspaces_directory |
Ensure Codecommit associates an approval rule |
Terraform |
972 |
CKV2_AWS_37 |
resource |
aws_workspaces_ip_group |
Ensure Codecommit associates an approval rule |
Terraform |
973 |
CKV2_AWS_37 |
resource |
aws_workspaces_workspace |
Ensure Codecommit associates an approval rule |
Terraform |
974 |
CKV2_AWS_37 |
resource |
aws_xray_sampling_rule |
Ensure Codecommit associates an approval rule |
Terraform |
975 |
CKV_AZURE_1 |
resource |
azurerm_linux_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
976 |
CKV_AZURE_1 |
resource |
azurerm_virtual_machine |
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) |
Terraform |
977 |
CKV_AZURE_2 |
resource |
azurerm_managed_disk |
Ensure Azure managed disk has encryption enabled |
Terraform |
978 |
CKV_AZURE_3 |
resource |
azurerm_storage_account |
Ensure that ‘Secure transfer required’ is set to ‘Enabled’ |
Terraform |
979 |
CKV_AZURE_4 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS logging to Azure Monitoring is Configured |
Terraform |
980 |
CKV_AZURE_5 |
resource |
azurerm_kubernetes_cluster |
Ensure RBAC is enabled on AKS clusters |
Terraform |
981 |
CKV_AZURE_6 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS has an API Server Authorized IP Ranges enabled |
Terraform |
982 |
CKV_AZURE_7 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster has Network Policy configured |
Terraform |
983 |
CKV_AZURE_8 |
resource |
azurerm_kubernetes_cluster |
Ensure Kubernetes Dashboard is disabled |
Terraform |
984 |
CKV_AZURE_9 |
resource |
azurerm_network_security_group |
Ensure that RDP access is restricted from the internet |
Terraform |
985 |
CKV_AZURE_9 |
resource |
azurerm_network_security_rule |
Ensure that RDP access is restricted from the internet |
Terraform |
986 |
CKV_AZURE_10 |
resource |
azurerm_network_security_group |
Ensure that SSH access is restricted from the internet |
Terraform |
987 |
CKV_AZURE_10 |
resource |
azurerm_network_security_rule |
Ensure that SSH access is restricted from the internet |
Terraform |
988 |
CKV_AZURE_11 |
resource |
azurerm_mariadb_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
989 |
CKV_AZURE_11 |
resource |
azurerm_mysql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
990 |
CKV_AZURE_11 |
resource |
azurerm_postgresql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
991 |
CKV_AZURE_11 |
resource |
azurerm_sql_firewall_rule |
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) |
Terraform |
992 |
CKV_AZURE_12 |
resource |
azurerm_network_watcher_flow_log |
Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ |
Terraform |
993 |
CKV_AZURE_13 |
resource |
azurerm_app_service |
Ensure App Service Authentication is set on Azure App Service |
Terraform |
994 |
CKV_AZURE_14 |
resource |
azurerm_app_service |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
Terraform |
995 |
CKV_AZURE_15 |
resource |
azurerm_app_service |
Ensure web app is using the latest version of TLS encryption |
Terraform |
996 |
CKV_AZURE_16 |
resource |
azurerm_app_service |
Ensure that Register with Azure Active Directory is enabled on App Service |
Terraform |
997 |
CKV_AZURE_17 |
resource |
azurerm_app_service |
Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set |
Terraform |
998 |
CKV_AZURE_18 |
resource |
azurerm_app_service |
Ensure that ‘HTTP Version’ is the latest if used to run the web app |
Terraform |
999 |
CKV_AZURE_19 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that standard pricing tier is selected |
Terraform |
1000 |
CKV_AZURE_20 |
resource |
azurerm_security_center_contact |
Ensure that security contact ‘Phone number’ is set |
Terraform |
1001 |
CKV_AZURE_21 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
1002 |
CKV_AZURE_22 |
resource |
azurerm_security_center_contact |
Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ |
Terraform |
1003 |
CKV_AZURE_23 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
1004 |
CKV_AZURE_23 |
resource |
azurerm_mssql_server_extended_auditing_policy |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
1005 |
CKV_AZURE_23 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ is set to ‘On’ for SQL servers |
Terraform |
1006 |
CKV_AZURE_24 |
resource |
azurerm_mssql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
1007 |
CKV_AZURE_24 |
resource |
azurerm_mssql_server_extended_auditing_policy |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
1008 |
CKV_AZURE_24 |
resource |
azurerm_sql_server |
Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers |
Terraform |
1009 |
CKV_AZURE_25 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Threat Detection types’ is set to ‘All’ |
Terraform |
1010 |
CKV_AZURE_26 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Send Alerts To’ is enabled for MSSQL servers |
Terraform |
1011 |
CKV_AZURE_27 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers |
Terraform |
1012 |
CKV_AZURE_28 |
resource |
azurerm_mysql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server |
Terraform |
1013 |
CKV_AZURE_29 |
resource |
azurerm_postgresql_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server |
Terraform |
1014 |
CKV_AZURE_30 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
1015 |
CKV_AZURE_31 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
1016 |
CKV_AZURE_32 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
1017 |
CKV_AZURE_33 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Queue service for read, write and delete requests |
Terraform |
1018 |
CKV_AZURE_34 |
resource |
azurerm_storage_container |
Ensure that ‘Public access level’ is set to Private for blob containers |
Terraform |
1019 |
CKV_AZURE_35 |
resource |
azurerm_storage_account |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
1020 |
CKV_AZURE_35 |
resource |
azurerm_storage_account_network_rules |
Ensure default network access rule for Storage Accounts is set to deny |
Terraform |
1021 |
CKV_AZURE_36 |
resource |
azurerm_storage_account |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
1022 |
CKV_AZURE_36 |
resource |
azurerm_storage_account_network_rules |
Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access |
Terraform |
1023 |
CKV_AZURE_37 |
resource |
azurerm_monitor_log_profile |
Ensure that Activity Log Retention is set 365 days or greater |
Terraform |
1024 |
CKV_AZURE_38 |
resource |
azurerm_monitor_log_profile |
Ensure audit profile captures all the activities |
Terraform |
1025 |
CKV_AZURE_39 |
resource |
azurerm_role_definition |
Ensure that no custom subscription owner roles are created |
Terraform |
1026 |
CKV_AZURE_40 |
resource |
azurerm_key_vault_key |
Ensure that the expiration date is set on all keys |
Terraform |
1027 |
CKV_AZURE_41 |
resource |
azurerm_key_vault_secret |
Ensure that the expiration date is set on all secrets |
Terraform |
1028 |
CKV_AZURE_42 |
resource |
azurerm_key_vault |
Ensure the key vault is recoverable |
Terraform |
1029 |
CKV_AZURE_43 |
resource |
azurerm_storage_account |
Ensure Storage Accounts adhere to the naming rules |
Terraform |
1030 |
CKV_AZURE_44 |
resource |
azurerm_storage_account |
Ensure Storage Account is using the latest version of TLS encryption |
Terraform |
1031 |
CKV_AZURE_45 |
resource |
azurerm_virtual_machine |
Ensure that no sensitive credentials are exposed in VM custom_data |
Terraform |
1032 |
CKV_AZURE_47 |
resource |
azurerm_mariadb_server |
Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MariaDB servers |
Terraform |
1033 |
CKV_AZURE_48 |
resource |
azurerm_mariadb_server |
Ensure ‘public network access enabled’ is set to ‘False’ for MariaDB servers |
Terraform |
1034 |
CKV_AZURE_49 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) |
Terraform |
1035 |
CKV_AZURE_50 |
resource |
azurerm_linux_virtual_machine |
Ensure Virtual Machine Extensions are not Installed |
Terraform |
1036 |
CKV_AZURE_50 |
resource |
azurerm_windows_virtual_machine |
Ensure Virtual Machine Extensions are not Installed |
Terraform |
1037 |
CKV_AZURE_52 |
resource |
azurerm_mssql_server |
Ensure MSSQL is using the latest version of TLS encryption |
Terraform |
1038 |
CKV_AZURE_53 |
resource |
azurerm_mysql_server |
Ensure ‘public network access enabled’ is set to ‘False’ for mySQL servers |
Terraform |
1039 |
CKV_AZURE_54 |
resource |
azurerm_mysql_server |
Ensure MySQL is using the latest version of TLS encryption |
Terraform |
1040 |
CKV_AZURE_55 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Servers |
Terraform |
1041 |
CKV_AZURE_56 |
resource |
azurerm_function_app |
Ensure that function apps enables Authentication |
Terraform |
1042 |
CKV_AZURE_57 |
resource |
azurerm_app_service |
Ensure that CORS disallows every resource to access app services |
Terraform |
1043 |
CKV_AZURE_58 |
resource |
azurerm_synapse_workspace |
Ensure that Azure Synapse workspaces enables managed virtual networks |
Terraform |
1044 |
CKV_AZURE_59 |
resource |
azurerm_storage_account |
Ensure that Storage accounts disallow public access |
Terraform |
1045 |
CKV_AZURE_60 |
resource |
azurerm_storage_account |
Ensure that storage account enables secure transfer |
Terraform |
1046 |
CKV_AZURE_61 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for App Service |
Terraform |
1047 |
CKV_AZURE_62 |
resource |
azurerm_function_app |
Ensure function apps are not accessible from all regions |
Terraform |
1048 |
CKV_AZURE_63 |
resource |
azurerm_app_service |
Ensure that App service enables HTTP logging |
Terraform |
1049 |
CKV_AZURE_64 |
resource |
azurerm_storage_sync |
Ensure that Azure File Sync disables public network access |
Terraform |
1050 |
CKV_AZURE_65 |
resource |
azurerm_app_service |
Ensure that App service enables detailed error messages |
Terraform |
1051 |
CKV_AZURE_66 |
resource |
azurerm_app_service |
Ensure that App service enables failed request tracing |
Terraform |
1052 |
CKV_AZURE_67 |
resource |
azurerm_function_app |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
Terraform |
1053 |
CKV_AZURE_67 |
resource |
azurerm_function_app_slot |
Ensure that ‘HTTP Version’ is the latest, if used to run the Function app |
Terraform |
1054 |
CKV_AZURE_68 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server disables public network access |
Terraform |
1055 |
CKV_AZURE_69 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Azure SQL database servers |
Terraform |
1056 |
CKV_AZURE_70 |
resource |
azurerm_function_app |
Ensure that Function apps is only accessible over HTTPS |
Terraform |
1057 |
CKV_AZURE_71 |
resource |
azurerm_app_service |
Ensure that Managed identity provider is enabled for app services |
Terraform |
1058 |
CKV_AZURE_72 |
resource |
azurerm_app_service |
Ensure that remote debugging is not enabled for app services |
Terraform |
1059 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_bool |
Ensure that Automation account variables are encrypted |
Terraform |
1060 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_datetime |
Ensure that Automation account variables are encrypted |
Terraform |
1061 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_int |
Ensure that Automation account variables are encrypted |
Terraform |
1062 |
CKV_AZURE_73 |
resource |
azurerm_automation_variable_string |
Ensure that Automation account variables are encrypted |
Terraform |
1063 |
CKV_AZURE_74 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer uses disk encryption |
Terraform |
1064 |
CKV_AZURE_75 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer uses double encryption |
Terraform |
1065 |
CKV_AZURE_76 |
resource |
azurerm_batch_account |
Ensure that Azure Batch account uses key vault to encrypt data |
Terraform |
1066 |
CKV_AZURE_77 |
resource |
azurerm_network_security_group |
Ensure that UDP Services are restricted from the Internet |
Terraform |
1067 |
CKV_AZURE_77 |
resource |
azurerm_network_security_rule |
Ensure that UDP Services are restricted from the Internet |
Terraform |
1068 |
CKV_AZURE_78 |
resource |
azurerm_app_service |
Ensure FTP deployments are disabled |
Terraform |
1069 |
CKV_AZURE_79 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for SQL servers on machines |
Terraform |
1070 |
CKV_AZURE_80 |
resource |
azurerm_app_service |
Ensure that ‘Net Framework’ version is the latest, if used as a part of the web app |
Terraform |
1071 |
CKV_AZURE_81 |
resource |
azurerm_app_service |
Ensure that ‘PHP version’ is the latest, if used to run the web app |
Terraform |
1072 |
CKV_AZURE_82 |
resource |
azurerm_app_service |
Ensure that ‘Python version’ is the latest, if used to run the web app |
Terraform |
1073 |
CKV_AZURE_83 |
resource |
azurerm_app_service |
Ensure that ‘Java version’ is the latest, if used to run the web app |
Terraform |
1074 |
CKV_AZURE_84 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Storage |
Terraform |
1075 |
CKV_AZURE_85 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Kubernetes |
Terraform |
1076 |
CKV_AZURE_86 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Container Registries |
Terraform |
1077 |
CKV_AZURE_87 |
resource |
azurerm_security_center_subscription_pricing |
Ensure that Azure Defender is set to On for Key Vault |
Terraform |
1078 |
CKV_AZURE_88 |
resource |
azurerm_app_service |
Ensure that app services use Azure Files |
Terraform |
1079 |
CKV_AZURE_89 |
resource |
azurerm_redis_cache |
Ensure that Azure Cache for Redis disables public network access |
Terraform |
1080 |
CKV_AZURE_91 |
resource |
azurerm_redis_cache |
Ensure that only SSL are enabled for Cache for Redis |
Terraform |
1081 |
CKV_AZURE_92 |
resource |
azurerm_linux_virtual_machine |
Ensure that Virtual Machines use managed disks |
Terraform |
1082 |
CKV_AZURE_92 |
resource |
azurerm_windows_virtual_machine |
Ensure that Virtual Machines use managed disks |
Terraform |
1083 |
CKV_AZURE_93 |
resource |
azurerm_managed_disk |
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
Terraform |
1084 |
CKV_AZURE_94 |
resource |
azurerm_mysql_server |
Ensure that My SQL server enables geo-redundant backups |
Terraform |
1085 |
CKV_AZURE_95 |
resource |
azurerm_virtual_machine_scale_set |
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets |
Terraform |
1086 |
CKV_AZURE_96 |
resource |
azurerm_mysql_server |
Ensure that MySQL server enables infrastructure encryption |
Terraform |
1087 |
CKV_AZURE_97 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure that Virtual machine scale sets have encryption at host enabled |
Terraform |
1088 |
CKV_AZURE_97 |
resource |
azurerm_windows_virtual_machine_scale_set |
Ensure that Virtual machine scale sets have encryption at host enabled |
Terraform |
1089 |
CKV_AZURE_98 |
resource |
azurerm_container_group |
Ensure that Azure Container group is deployed into virtual network |
Terraform |
1090 |
CKV_AZURE_99 |
resource |
azurerm_cosmosdb_account |
Ensure Cosmos DB accounts have restricted access |
Terraform |
1091 |
CKV_AZURE_100 |
resource |
azurerm_cosmosdb_account |
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest |
Terraform |
1092 |
CKV_AZURE_101 |
resource |
azurerm_cosmosdb_account |
Ensure that Azure Cosmos DB disables public network access |
Terraform |
1093 |
CKV_AZURE_102 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables geo-redundant backups |
Terraform |
1094 |
CKV_AZURE_103 |
resource |
azurerm_data_factory |
Ensure that Azure Data Factory uses Git repository for source control |
Terraform |
1095 |
CKV_AZURE_104 |
resource |
azurerm_data_factory |
Ensure that Azure Data factory public network access is disabled |
Terraform |
1096 |
CKV_AZURE_105 |
resource |
azurerm_data_lake_store |
Ensure that Data Lake Store accounts enables encryption |
Terraform |
1097 |
CKV_AZURE_106 |
resource |
azurerm_eventgrid_domain |
Ensure that Azure Event Grid Domain public network access is disabled |
Terraform |
1098 |
CKV_AZURE_107 |
resource |
azurerm_api_management |
Ensure that API management services use virtual networks |
Terraform |
1099 |
CKV_AZURE_108 |
resource |
azurerm_iothub |
Ensure that Azure IoT Hub disables public network access |
Terraform |
1100 |
CKV_AZURE_109 |
resource |
azurerm_key_vault |
Ensure that key vault allows firewall rules settings |
Terraform |
1101 |
CKV_AZURE_110 |
resource |
azurerm_key_vault |
Ensure that key vault enables purge protection |
Terraform |
1102 |
CKV_AZURE_111 |
resource |
azurerm_key_vault |
Ensure that key vault enables soft delete |
Terraform |
1103 |
CKV_AZURE_112 |
resource |
azurerm_key_vault_key |
Ensure that key vault key is backed by HSM |
Terraform |
1104 |
CKV_AZURE_113 |
resource |
azurerm_mssql_server |
Ensure that SQL server disables public network access |
Terraform |
1105 |
CKV_AZURE_114 |
resource |
azurerm_key_vault_secret |
Ensure that key vault secrets have “content_type” set |
Terraform |
1106 |
CKV_AZURE_115 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS enables private clusters |
Terraform |
1107 |
CKV_AZURE_116 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS uses Azure Policies Add-on |
Terraform |
1108 |
CKV_AZURE_117 |
resource |
azurerm_kubernetes_cluster |
Ensure that AKS uses disk encryption set |
Terraform |
1109 |
CKV_AZURE_118 |
resource |
azurerm_network_interface |
Ensure that Network Interfaces disable IP forwarding |
Terraform |
1110 |
CKV_AZURE_119 |
resource |
azurerm_network_interface |
Ensure that Network Interfaces don’t use public IPs |
Terraform |
1111 |
CKV_AZURE_120 |
resource |
azurerm_application_gateway |
Ensure that Application Gateway enables WAF |
Terraform |
1112 |
CKV_AZURE_120 |
resource |
azurerm_web_application_firewall_policy |
Ensure that Application Gateway enables WAF |
Terraform |
1113 |
CKV_AZURE_121 |
resource |
azurerm_frontdoor |
Ensure that Azure Front Door enables WAF |
Terraform |
1114 |
CKV_AZURE_122 |
resource |
azurerm_web_application_firewall_policy |
Ensure that Application Gateway uses WAF in “Detection” or “Prevention” modes |
Terraform |
1115 |
CKV_AZURE_123 |
resource |
azurerm_frontdoor_firewall_policy |
Ensure that Azure Front Door uses WAF in “Detection” or “Prevention” modes |
Terraform |
1116 |
CKV_AZURE_124 |
resource |
azurerm_search_service |
Ensure that Azure Cognitive Search disables public network access |
Terraform |
1117 |
CKV_AZURE_125 |
resource |
azurerm_service_fabric_cluster |
Ensures that Service Fabric use three levels of protection available |
Terraform |
1118 |
CKV_AZURE_126 |
resource |
azurerm_service_fabric_cluster |
Ensures that Active Directory is used for authentication for Service Fabric |
Terraform |
1119 |
CKV_AZURE_127 |
resource |
azurerm_mysql_server |
Ensure that My SQL server enables Threat detection policy |
Terraform |
1120 |
CKV_AZURE_128 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables Threat detection policy |
Terraform |
1121 |
CKV_AZURE_129 |
resource |
azurerm_mariadb_server |
Ensure that MariaDB server enables geo-redundant backups |
Terraform |
1122 |
CKV_AZURE_130 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables infrastructure encryption |
Terraform |
1123 |
CKV_AZURE_131 |
resource |
azurerm_security_center_contact |
Ensure that ‘Security contact emails’ is set |
Terraform |
1124 |
CKV_AZURE_132 |
resource |
azurerm_cosmosdb_account |
Ensure cosmosdb does not allow privileged escalation by restricting management plane changes |
Terraform |
1125 |
CKV_AZURE_133 |
resource |
azurerm_frontdoor_firewall_policy |
Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Terraform |
1126 |
CKV_AZURE_134 |
resource |
azurerm_cognitive_account |
Ensure that Cognitive Services accounts disable public network access |
Terraform |
1127 |
CKV_AZURE_135 |
resource |
azurerm_web_application_firewall_policy |
Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Terraform |
1128 |
CKV_AZURE_136 |
resource |
azurerm_postgresql_flexible_server |
Ensure that PostgreSQL Flexible server enables geo-redundant backups |
Terraform |
1129 |
CKV_AZURE_137 |
resource |
azurerm_container_registry |
Ensure ACR admin account is disabled |
Terraform |
1130 |
CKV_AZURE_138 |
resource |
azurerm_container_registry |
Ensures that ACR disables anonymous pulling of images |
Terraform |
1131 |
CKV_AZURE_139 |
resource |
azurerm_container_registry |
Ensure ACR set to disable public networking |
Terraform |
1132 |
CKV_AZURE_140 |
resource |
azurerm_cosmosdb_account |
Ensure that Local Authentication is disabled on CosmosDB |
Terraform |
1133 |
CKV_AZURE_141 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS local admin account is disabled |
Terraform |
1134 |
CKV_AZURE_142 |
resource |
azurerm_machine_learning_compute_cluster |
Ensure Machine Learning Compute Cluster Local Authentication is disabled |
Terraform |
1135 |
CKV_AZURE_143 |
resource |
azurerm_kubernetes_cluster |
Ensure AKS cluster nodes do not have public IP addresses |
Terraform |
1136 |
CKV_AZURE_144 |
resource |
azurerm_machine_learning_workspace |
Ensure that Public Access is disabled for Machine Learning Workspace |
Terraform |
1137 |
CKV_AZURE_145 |
resource |
azurerm_function_app |
Ensure Function app is using the latest version of TLS encryption |
Terraform |
1138 |
CKV_AZURE_146 |
resource |
azurerm_postgresql_configuration |
Ensure server parameter ‘log_retention’ is set to ‘ON’ for PostgreSQL Database Server |
Terraform |
1139 |
CKV_AZURE_147 |
resource |
azurerm_postgresql_server |
Ensure PostgreSQL is using the latest version of TLS encryption |
Terraform |
1140 |
CKV_AZURE_148 |
resource |
azurerm_redis_cache |
Ensure Redis Cache is using the latest version of TLS encryption |
Terraform |
1141 |
CKV_AZURE_149 |
resource |
azurerm_linux_virtual_machine |
Ensure that Virtual machine does not enable password authentication |
Terraform |
1142 |
CKV_AZURE_149 |
resource |
azurerm_linux_virtual_machine_scale_set |
Ensure that Virtual machine does not enable password authentication |
Terraform |
1143 |
CKV_AZURE_150 |
resource |
azurerm_machine_learning_compute_cluster |
Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 |
Terraform |
1144 |
CKV_AZURE_151 |
resource |
azurerm_windows_virtual_machine |
Ensure Windows VM enables encryption |
Terraform |
1145 |
CKV_AZURE_152 |
resource |
azurerm_api_management |
Ensure Client Certificates are enforced for API management |
Terraform |
1146 |
CKV_AZURE_153 |
resource |
azurerm_app_service_slot |
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot |
Terraform |
1147 |
CKV_AZURE_154 |
resource |
azurerm_app_service_slot |
Ensure the App service slot is using the latest version of TLS encryption |
Terraform |
1148 |
CKV_AZURE_155 |
resource |
azurerm_app_service_slot |
Ensure debugging is disabled for the App service slot |
Terraform |
1149 |
CKV_AZURE_156 |
resource |
azurerm_mssql_database_extended_auditing_policy |
Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs |
Terraform |
1150 |
CKV_AZURE_157 |
resource |
azurerm_synapse_workspace |
Ensure that Synapse workspace has data_exfiltration_protection_enabled |
Terraform |
1151 |
CKV_AZURE_158 |
resource |
azurerm_databricks_workspace |
Ensure that databricks workspace has not public |
Terraform |
1152 |
CKV_AZURE_159 |
resource |
azurerm_function_app |
Ensure function app builtin logging is enabled |
Terraform |
1153 |
CKV_AZURE_159 |
resource |
azurerm_function_app_slot |
Ensure function app builtin logging is enabled |
Terraform |
1154 |
CKV_AZURE_160 |
resource |
azurerm_network_security_group |
Ensure that HTTP (port 80) access is restricted from the internet |
Terraform |
1155 |
CKV_AZURE_160 |
resource |
azurerm_network_security_rule |
Ensure that HTTP (port 80) access is restricted from the internet |
Terraform |
1156 |
CKV2_AZURE_1 |
resource |
azurerm_storage_account |
Ensure storage for critical data are encrypted with Customer Managed Key |
Terraform |
1157 |
CKV2_AZURE_2 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Terraform |
1158 |
CKV2_AZURE_2 |
resource |
azurerm_sql_server |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
Terraform |
1159 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
1160 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
1161 |
CKV2_AZURE_3 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
1162 |
CKV2_AZURE_3 |
resource |
azurerm_sql_server |
Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server |
Terraform |
1163 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
1164 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
1165 |
CKV2_AZURE_4 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
1166 |
CKV2_AZURE_4 |
resource |
azurerm_sql_server |
Ensure Azure SQL server ADS VA Send scan reports to is configured |
Terraform |
1167 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
1168 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
1169 |
CKV2_AZURE_5 |
resource |
azurerm_mssql_server_vulnerability_assessment |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
1170 |
CKV2_AZURE_5 |
resource |
azurerm_sql_server |
Ensure that VA setting ‘Also send email notifications to admins and subscription owners’ is set for a SQL server |
Terraform |
1171 |
CKV2_AZURE_6 |
resource |
azurerm_sql_firewall_rule |
Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled |
Terraform |
1172 |
CKV2_AZURE_6 |
resource |
azurerm_sql_server |
Ensure ‘Allow access to Azure services’ for PostgreSQL Database Server is disabled |
Terraform |
1173 |
CKV2_AZURE_7 |
resource |
azurerm_sql_server |
Ensure that Azure Active Directory Admin is configured |
Terraform |
1174 |
CKV2_AZURE_8 |
resource |
azurerm_monitor_activity_log_alert |
Ensure the storage container storing the activity logs is not publicly accessible |
Terraform |
1175 |
CKV2_AZURE_8 |
resource |
azurerm_storage_container |
Ensure the storage container storing the activity logs is not publicly accessible |
Terraform |
1176 |
CKV2_AZURE_9 |
resource |
azurerm_virtual_machine |
Ensure Virtual Machines are utilizing Managed Disks |
Terraform |
1177 |
CKV2_AZURE_10 |
resource |
azurerm_virtual_machine |
Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
Terraform |
1178 |
CKV2_AZURE_10 |
resource |
azurerm_virtual_machine_extension |
Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines |
Terraform |
1179 |
CKV2_AZURE_11 |
resource |
azurerm_kusto_cluster |
Ensure that Azure Data Explorer encryption at rest uses a customer-managed key |
Terraform |
1180 |
CKV2_AZURE_12 |
resource |
azurerm_virtual_machine |
Ensure that virtual machines are backed up using Azure Backup |
Terraform |
1181 |
CKV2_AZURE_13 |
resource |
azurerm_mssql_server_security_alert_policy |
Ensure that sql servers enables data security policy |
Terraform |
1182 |
CKV2_AZURE_13 |
resource |
azurerm_sql_server |
Ensure that sql servers enables data security policy |
Terraform |
1183 |
CKV2_AZURE_14 |
resource |
azurerm_managed_disk |
Ensure that Unattached disks are encrypted |
Terraform |
1184 |
CKV2_AZURE_14 |
resource |
azurerm_virtual_machine |
Ensure that Unattached disks are encrypted |
Terraform |
1185 |
CKV2_AZURE_15 |
resource |
azurerm_data_factory |
Ensure that Azure data factories are encrypted with a customer-managed key |
Terraform |
1186 |
CKV2_AZURE_16 |
resource |
azurerm_mysql_server |
Ensure that MySQL server enables customer-managed key for encryption |
Terraform |
1187 |
CKV2_AZURE_16 |
resource |
azurerm_mysql_server_key |
Ensure that MySQL server enables customer-managed key for encryption |
Terraform |
1188 |
CKV2_AZURE_17 |
resource |
azurerm_postgresql_server |
Ensure that PostgreSQL server enables customer-managed key for encryption |
Terraform |
1189 |
CKV2_AZURE_17 |
resource |
azurerm_postgresql_server_key |
Ensure that PostgreSQL server enables customer-managed key for encryption |
Terraform |
1190 |
CKV2_AZURE_18 |
resource |
azurerm_storage_account |
Ensure that Storage Accounts use customer-managed key for encryption |
Terraform |
1191 |
CKV2_AZURE_18 |
resource |
azurerm_storage_account_customer_managed_key |
Ensure that Storage Accounts use customer-managed key for encryption |
Terraform |
1192 |
CKV2_AZURE_19 |
resource |
azurerm_synapse_workspace |
Ensure that Azure Synapse workspaces have no IP firewall rules attached |
Terraform |
1193 |
CKV2_AZURE_20 |
resource |
azurerm_log_analytics_storage_insights |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
1194 |
CKV2_AZURE_20 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
1195 |
CKV2_AZURE_20 |
resource |
azurerm_storage_table |
Ensure Storage logging is enabled for Table service for read requests |
Terraform |
1196 |
CKV2_AZURE_21 |
resource |
azurerm_log_analytics_storage_insights |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
1197 |
CKV2_AZURE_21 |
resource |
azurerm_storage_account |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
1198 |
CKV2_AZURE_21 |
resource |
azurerm_storage_container |
Ensure Storage logging is enabled for Blob service for read requests |
Terraform |
1199 |
CKV2_AZURE_22 |
resource |
azurerm_cognitive_account |
Ensure that Cognitive Services enables customer-managed key for encryption |
Terraform |
1200 |
CKV2_AZURE_22 |
resource |
azurerm_cognitive_account_customer_managed_key |
Ensure that Cognitive Services enables customer-managed key for encryption |
Terraform |
1201 |
CKV_BCW_1 |
provider |
bridgecrew |
Ensure no hard coded API token exist in the provider |
Terraform |
1202 |
CKV_DIO_1 |
resource |
digitalocean_spaces_bucket |
Ensure the Spaces bucket has versioning enabled |
Terraform |
1203 |
CKV_DIO_2 |
resource |
digitalocean_droplet |
Ensure the droplet specifies an SSH key |
Terraform |
1204 |
CKV_DIO_3 |
resource |
digitalocean_spaces_bucket |
Ensure the Spaces bucket is private |
Terraform |
1205 |
CKV_DIO_4 |
resource |
digitalocean_firewall |
Ensure the firewall ingress is not wide open |
Terraform |
1206 |
CKV_GCP_1 |
resource |
google_container_cluster |
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters |
Terraform |
1207 |
CKV_GCP_2 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted ssh access |
Terraform |
1208 |
CKV_GCP_3 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted rdp access |
Terraform |
1209 |
CKV_GCP_4 |
resource |
google_compute_ssl_policy |
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites |
Terraform |
1210 |
CKV_GCP_6 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance requires all incoming connections to use SSL |
Terraform |
1211 |
CKV_GCP_7 |
resource |
google_container_cluster |
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters |
Terraform |
1212 |
CKV_GCP_8 |
resource |
google_container_cluster |
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
Terraform |
1213 |
CKV_GCP_9 |
resource |
google_container_node_pool |
Ensure ‘Automatic node repair’ is enabled for Kubernetes Clusters |
Terraform |
1214 |
CKV_GCP_10 |
resource |
google_container_node_pool |
Ensure ‘Automatic node upgrade’ is enabled for Kubernetes Clusters |
Terraform |
1215 |
CKV_GCP_11 |
resource |
google_sql_database_instance |
Ensure that Cloud SQL database Instances are not open to the world |
Terraform |
1216 |
CKV_GCP_12 |
resource |
google_container_cluster |
Ensure Network Policy is enabled on Kubernetes Engine Clusters |
Terraform |
1217 |
CKV_GCP_13 |
resource |
google_container_cluster |
Ensure client certificate authentication to Kubernetes Engine Clusters is disabled |
Terraform |
1218 |
CKV_GCP_14 |
resource |
google_sql_database_instance |
Ensure all Cloud SQL database instance have backup configuration enabled |
Terraform |
1219 |
CKV_GCP_15 |
resource |
google_bigquery_dataset |
Ensure that BigQuery datasets are not anonymously or publicly accessible |
Terraform |
1220 |
CKV_GCP_16 |
resource |
google_dns_managed_zone |
Ensure that DNSSEC is enabled for Cloud DNS |
Terraform |
1221 |
CKV_GCP_17 |
resource |
google_dns_managed_zone |
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC |
Terraform |
1222 |
CKV_GCP_18 |
resource |
google_container_cluster |
Ensure GKE Control Plane is not public |
Terraform |
1223 |
CKV_GCP_19 |
resource |
google_container_cluster |
Ensure GKE basic auth is disabled |
Terraform |
1224 |
CKV_GCP_20 |
resource |
google_container_cluster |
Ensure master authorized networks is set to enabled in GKE clusters |
Terraform |
1225 |
CKV_GCP_21 |
resource |
google_container_cluster |
Ensure Kubernetes Clusters are configured with Labels |
Terraform |
1226 |
CKV_GCP_22 |
resource |
google_container_node_pool |
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image |
Terraform |
1227 |
CKV_GCP_23 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
Terraform |
1228 |
CKV_GCP_24 |
resource |
google_container_cluster |
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters |
Terraform |
1229 |
CKV_GCP_25 |
resource |
google_container_cluster |
Ensure Kubernetes Cluster is created with Private cluster enabled |
Terraform |
1230 |
CKV_GCP_26 |
resource |
google_compute_subnetwork |
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network |
Terraform |
1231 |
CKV_GCP_27 |
resource |
google_project |
Ensure that the default network does not exist in a project |
Terraform |
1232 |
CKV_GCP_28 |
resource |
google_storage_bucket_iam_binding |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Terraform |
1233 |
CKV_GCP_28 |
resource |
google_storage_bucket_iam_member |
Ensure that Cloud Storage bucket is not anonymously or publicly accessible |
Terraform |
1234 |
CKV_GCP_29 |
resource |
google_storage_bucket |
Ensure that Cloud Storage buckets have uniform bucket-level access enabled |
Terraform |
1235 |
CKV_GCP_30 |
resource |
google_compute_instance |
Ensure that instances are not configured to use the default service account |
Terraform |
1236 |
CKV_GCP_30 |
resource |
google_compute_instance_from_template |
Ensure that instances are not configured to use the default service account |
Terraform |
1237 |
CKV_GCP_30 |
resource |
google_compute_instance_template |
Ensure that instances are not configured to use the default service account |
Terraform |
1238 |
CKV_GCP_31 |
resource |
google_compute_instance |
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
Terraform |
1239 |
CKV_GCP_31 |
resource |
google_compute_instance_from_template |
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
Terraform |
1240 |
CKV_GCP_31 |
resource |
google_compute_instance_template |
Ensure that instances are not configured to use the default service account with full access to all Cloud APIs |
Terraform |
1241 |
CKV_GCP_32 |
resource |
google_compute_instance |
Ensure ‘Block Project-wide SSH keys’ is enabled for VM instances |
Terraform |
1242 |
CKV_GCP_32 |
resource |
google_compute_instance_from_template |
Ensure ‘Block Project-wide SSH keys’ is enabled for VM instances |
Terraform |
1243 |
CKV_GCP_32 |
resource |
google_compute_instance_template |
Ensure ‘Block Project-wide SSH keys’ is enabled for VM instances |
Terraform |
1244 |
CKV_GCP_33 |
resource |
google_compute_project_metadata |
Ensure oslogin is enabled for a Project |
Terraform |
1245 |
CKV_GCP_34 |
resource |
google_compute_instance |
Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) |
Terraform |
1246 |
CKV_GCP_34 |
resource |
google_compute_instance_from_template |
Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) |
Terraform |
1247 |
CKV_GCP_34 |
resource |
google_compute_instance_template |
Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) |
Terraform |
1248 |
CKV_GCP_35 |
resource |
google_compute_instance |
Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance |
Terraform |
1249 |
CKV_GCP_35 |
resource |
google_compute_instance_from_template |
Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance |
Terraform |
1250 |
CKV_GCP_35 |
resource |
google_compute_instance_template |
Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance |
Terraform |
1251 |
CKV_GCP_36 |
resource |
google_compute_instance |
Ensure that IP forwarding is not enabled on Instances |
Terraform |
1252 |
CKV_GCP_36 |
resource |
google_compute_instance_from_template |
Ensure that IP forwarding is not enabled on Instances |
Terraform |
1253 |
CKV_GCP_36 |
resource |
google_compute_instance_template |
Ensure that IP forwarding is not enabled on Instances |
Terraform |
1254 |
CKV_GCP_37 |
resource |
google_compute_disk |
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1255 |
CKV_GCP_38 |
resource |
google_compute_instance |
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1256 |
CKV_GCP_39 |
resource |
google_compute_instance |
Ensure Compute instances are launched with Shielded VM enabled |
Terraform |
1257 |
CKV_GCP_39 |
resource |
google_compute_instance_from_template |
Ensure Compute instances are launched with Shielded VM enabled |
Terraform |
1258 |
CKV_GCP_39 |
resource |
google_compute_instance_template |
Ensure Compute instances are launched with Shielded VM enabled |
Terraform |
1259 |
CKV_GCP_40 |
resource |
google_compute_instance |
Ensure that Compute instances do not have public IP addresses |
Terraform |
1260 |
CKV_GCP_40 |
resource |
google_compute_instance_from_template |
Ensure that Compute instances do not have public IP addresses |
Terraform |
1261 |
CKV_GCP_40 |
resource |
google_compute_instance_template |
Ensure that Compute instances do not have public IP addresses |
Terraform |
1262 |
CKV_GCP_41 |
resource |
google_project_iam_binding |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
Terraform |
1263 |
CKV_GCP_41 |
resource |
google_project_iam_member |
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level |
Terraform |
1264 |
CKV_GCP_42 |
resource |
google_project_iam_member |
Ensure that Service Account has no Admin privileges |
Terraform |
1265 |
CKV_GCP_43 |
resource |
google_kms_crypto_key |
Ensure KMS encryption keys are rotated within a period of 90 days |
Terraform |
1266 |
CKV_GCP_44 |
resource |
google_folder_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level |
Terraform |
1267 |
CKV_GCP_44 |
resource |
google_folder_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level |
Terraform |
1268 |
CKV_GCP_45 |
resource |
google_organization_iam_binding |
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level |
Terraform |
1269 |
CKV_GCP_45 |
resource |
google_organization_iam_member |
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level |
Terraform |
1270 |
CKV_GCP_46 |
resource |
google_project_iam_binding |
Ensure Default Service account is not used at a project level |
Terraform |
1271 |
CKV_GCP_46 |
resource |
google_project_iam_member |
Ensure Default Service account is not used at a project level |
Terraform |
1272 |
CKV_GCP_47 |
resource |
google_organization_iam_binding |
Ensure default service account is not used at an organization level |
Terraform |
1273 |
CKV_GCP_47 |
resource |
google_organization_iam_member |
Ensure default service account is not used at an organization level |
Terraform |
1274 |
CKV_GCP_48 |
resource |
google_folder_iam_binding |
Ensure Default Service account is not used at a folder level |
Terraform |
1275 |
CKV_GCP_48 |
resource |
google_folder_iam_member |
Ensure Default Service account is not used at a folder level |
Terraform |
1276 |
CKV_GCP_49 |
resource |
google_project_iam_binding |
Ensure roles do not impersonate or manage Service Accounts used at project level |
Terraform |
1277 |
CKV_GCP_49 |
resource |
google_project_iam_member |
Ensure roles do not impersonate or manage Service Accounts used at project level |
Terraform |
1278 |
CKV_GCP_50 |
resource |
google_sql_database_instance |
Ensure MySQL database ‘local_infile’ flag is set to ‘off’ |
Terraform |
1279 |
CKV_GCP_51 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_checkpoints’ flag is set to ‘on’ |
Terraform |
1280 |
CKV_GCP_52 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_connections’ flag is set to ‘on’ |
Terraform |
1281 |
CKV_GCP_53 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_disconnections’ flag is set to ‘on’ |
Terraform |
1282 |
CKV_GCP_54 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_lock_waits’ flag is set to ‘on’ |
Terraform |
1283 |
CKV_GCP_55 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_min_messages’ flag is set to a valid value |
Terraform |
1284 |
CKV_GCP_56 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_temp_files flag is set to ‘0’ |
Terraform |
1285 |
CKV_GCP_57 |
resource |
google_sql_database_instance |
Ensure PostgreSQL database ‘log_min_duration_statement’ flag is set to ‘-1’ |
Terraform |
1286 |
CKV_GCP_58 |
resource |
google_sql_database_instance |
Ensure SQL database ‘cross db ownership chaining’ flag is set to ‘off’ |
Terraform |
1287 |
CKV_GCP_59 |
resource |
google_sql_database_instance |
Ensure SQL database ‘contained database authentication’ flag is set to ‘off’ |
Terraform |
1288 |
CKV_GCP_60 |
resource |
google_sql_database_instance |
Ensure Cloud SQL database does not have public IP |
Terraform |
1289 |
CKV_GCP_61 |
resource |
google_container_cluster |
Enable VPC Flow Logs and Intranode Visibility |
Terraform |
1290 |
CKV_GCP_62 |
resource |
google_storage_bucket |
Bucket should log access |
Terraform |
1291 |
CKV_GCP_63 |
resource |
google_storage_bucket |
Bucket should not log to itself |
Terraform |
1292 |
CKV_GCP_64 |
resource |
google_container_cluster |
Ensure clusters are created with Private Nodes |
Terraform |
1293 |
CKV_GCP_65 |
resource |
google_container_cluster |
Manage Kubernetes RBAC users with Google Groups for GKE |
Terraform |
1294 |
CKV_GCP_66 |
resource |
google_container_cluster |
Ensure use of Binary Authorization |
Terraform |
1295 |
CKV_GCP_67 |
resource |
google_container_cluster |
Ensure legacy Compute Engine instance metadata APIs are Disabled |
Terraform |
1296 |
CKV_GCP_68 |
resource |
google_container_cluster |
Ensure Secure Boot for Shielded GKE Nodes is Enabled |
Terraform |
1297 |
CKV_GCP_68 |
resource |
google_container_node_pool |
Ensure Secure Boot for Shielded GKE Nodes is Enabled |
Terraform |
1298 |
CKV_GCP_69 |
resource |
google_container_cluster |
Ensure the GKE Metadata Server is Enabled |
Terraform |
1299 |
CKV_GCP_69 |
resource |
google_container_node_pool |
Ensure the GKE Metadata Server is Enabled |
Terraform |
1300 |
CKV_GCP_70 |
resource |
google_container_cluster |
Ensure the GKE Release Channel is set |
Terraform |
1301 |
CKV_GCP_71 |
resource |
google_container_cluster |
Ensure Shielded GKE Nodes are Enabled |
Terraform |
1302 |
CKV_GCP_72 |
resource |
google_container_cluster |
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
Terraform |
1303 |
CKV_GCP_72 |
resource |
google_container_node_pool |
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled |
Terraform |
1304 |
CKV_GCP_73 |
resource |
google_compute_security_policy |
Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
Terraform |
1305 |
CKV_GCP_74 |
resource |
google_compute_subnetwork |
Ensure that private_ip_google_access is enabled for Subnet |
Terraform |
1306 |
CKV_GCP_75 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted FTP access |
Terraform |
1307 |
CKV_GCP_76 |
resource |
google_compute_subnetwork |
Ensure that Private google access is enabled for IPV6 |
Terraform |
1308 |
CKV_GCP_77 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow on ftp port |
Terraform |
1309 |
CKV_GCP_78 |
resource |
google_storage_bucket |
Ensure Cloud storage has versioning enabled |
Terraform |
1310 |
CKV_GCP_79 |
resource |
google_sql_database_instance |
Ensure SQL database is using latest Major version |
Terraform |
1311 |
CKV_GCP_80 |
resource |
google_bigquery_table |
Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1312 |
CKV_GCP_81 |
resource |
google_bigquery_dataset |
Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1313 |
CKV_GCP_82 |
resource |
google_kms_crypto_key |
Ensure KMS keys are protected from deletion |
Terraform |
1314 |
CKV_GCP_83 |
resource |
google_pubsub_topic |
Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1315 |
CKV_GCP_84 |
resource |
google_artifact_registry_repository |
Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1316 |
CKV_GCP_85 |
resource |
google_bigtable_instance |
Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1317 |
CKV_GCP_86 |
resource |
google_cloudbuild_worker_pool |
Ensure Cloud build workers are private |
Terraform |
1318 |
CKV_GCP_87 |
resource |
google_data_fusion_instance |
Ensure Data fusion instances are private |
Terraform |
1319 |
CKV_GCP_88 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted mysql access |
Terraform |
1320 |
CKV_GCP_89 |
resource |
google_notebooks_instance |
Ensure Vertex AI instances are private |
Terraform |
1321 |
CKV_GCP_90 |
resource |
google_dataflow_job |
Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1322 |
CKV_GCP_91 |
resource |
google_dataproc_cluster |
Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1323 |
CKV_GCP_92 |
resource |
google_vertex_ai_dataset |
Ensure Vertex AI datasets uses a CMK (Customer Manager Key) |
Terraform |
1324 |
CKV_GCP_93 |
resource |
google_spanner_database |
Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) |
Terraform |
1325 |
CKV_GCP_94 |
resource |
google_dataflow_job |
Ensure Dataflow jobs are private |
Terraform |
1326 |
CKV_GCP_95 |
resource |
google_redis_instance |
Ensure Memorystore for Redis has AUTH enabled |
Terraform |
1327 |
CKV_GCP_96 |
resource |
google_vertex_ai_metadata_store |
Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key) |
Terraform |
1328 |
CKV_GCP_97 |
resource |
google_redis_instance |
Ensure Memorystore for Redis uses intransit encryption |
Terraform |
1329 |
CKV_GCP_98 |
resource |
google_dataproc_cluster_iam_binding |
Ensure that Dataproc clusters are not anonymously or publicly accessible |
Terraform |
1330 |
CKV_GCP_98 |
resource |
google_dataproc_cluster_iam_member |
Ensure that Dataproc clusters are not anonymously or publicly accessible |
Terraform |
1331 |
CKV_GCP_99 |
resource |
google_pubsub_topic_iam_binding |
Ensure that Pub/Sub Topics are not anonymously or publicly accessible |
Terraform |
1332 |
CKV_GCP_99 |
resource |
google_pubsub_topic_iam_member |
Ensure that Pub/Sub Topics are not anonymously or publicly accessible |
Terraform |
1333 |
CKV_GCP_100 |
resource |
google_bigquery_table_iam_binding |
Ensure that BigQuery Tables are not anonymously or publicly accessible |
Terraform |
1334 |
CKV_GCP_100 |
resource |
google_bigquery_table_iam_member |
Ensure that BigQuery Tables are not anonymously or publicly accessible |
Terraform |
1335 |
CKV_GCP_101 |
resource |
google_artifact_registry_repository_iam_binding |
Ensure that Artifact Registry repositories are not anonymously or publicly accessible |
Terraform |
1336 |
CKV_GCP_101 |
resource |
google_artifact_registry_repository_iam_member |
Ensure that Artifact Registry repositories are not anonymously or publicly accessible |
Terraform |
1337 |
CKV_GCP_102 |
resource |
google_cloud_run_service_iam_binding |
Ensure that GCP Cloud Run services are not anonymously or publicly accessible |
Terraform |
1338 |
CKV_GCP_102 |
resource |
google_cloud_run_service_iam_member |
Ensure that GCP Cloud Run services are not anonymously or publicly accessible |
Terraform |
1339 |
CKV_GCP_103 |
resource |
google_dataproc_cluster |
Ensure Dataproc Clusters do not have public IPs |
Terraform |
1340 |
CKV_GCP_104 |
resource |
google_data_fusion_instance |
Ensure Datafusion has stack driver logging enabled |
Terraform |
1341 |
CKV_GCP_105 |
resource |
google_data_fusion_instance |
Ensure Datafusion has stack driver monitoring enabled |
Terraform |
1342 |
CKV_GCP_106 |
resource |
google_compute_firewall |
Ensure Google compute firewall ingress does not allow unrestricted http port 80 access |
Terraform |
1343 |
CKV2_GCP_1 |
resource |
google_project_default_service_accounts |
Ensure GKE clusters are not running using the Compute Engine default service account |
Terraform |
1344 |
CKV2_GCP_2 |
resource |
google_compute_network |
Ensure legacy networks do not exist for a project |
Terraform |
1345 |
CKV2_GCP_3 |
resource |
google_service_account_key |
Ensure that there are only GCP-managed service account keys for each service account |
Terraform |
1346 |
CKV2_GCP_4 |
resource |
google_logging_folder_sink |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
1347 |
CKV2_GCP_4 |
resource |
google_logging_organization_sink |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
1348 |
CKV2_GCP_4 |
resource |
google_logging_project_sink |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
1349 |
CKV2_GCP_4 |
resource |
google_storage_bucket |
Ensure that retention policies on log buckets are configured using Bucket Lock |
Terraform |
1350 |
CKV2_GCP_5 |
resource |
google_project |
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
Terraform |
1351 |
CKV2_GCP_5 |
resource |
google_project_iam_audit_config |
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project |
Terraform |
1352 |
CKV2_GCP_6 |
resource |
google_kms_crypto_key |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
Terraform |
1353 |
CKV2_GCP_6 |
resource |
google_kms_crypto_key_iam_binding |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
Terraform |
1354 |
CKV2_GCP_6 |
resource |
google_kms_crypto_key_iam_member |
Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible |
Terraform |
1355 |
CKV2_GCP_7 |
resource |
google_sql_database_instance |
Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
Terraform |
1356 |
CKV2_GCP_7 |
resource |
google_sql_user |
Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges |
Terraform |
1357 |
CKV2_GCP_8 |
resource |
google_kms_key_ring |
Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible |
Terraform |
1358 |
CKV2_GCP_8 |
resource |
google_kms_key_ring_iam_binding |
Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible |
Terraform |
1359 |
CKV2_GCP_8 |
resource |
google_kms_key_ring_iam_member |
Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible |
Terraform |
1360 |
CKV2_GCP_9 |
resource |
google_container_registry |
Ensure that Container Registry repositories are not anonymously or publicly accessible |
Terraform |
1361 |
CKV2_GCP_9 |
resource |
google_storage_bucket_iam_binding |
Ensure that Container Registry repositories are not anonymously or publicly accessible |
Terraform |
1362 |
CKV2_GCP_9 |
resource |
google_storage_bucket_iam_member |
Ensure that Container Registry repositories are not anonymously or publicly accessible |
Terraform |
1363 |
CKV_GIT_1 |
resource |
github_repository |
Ensure Repository is Private |
Terraform |
1364 |
CKV_GIT_2 |
resource |
github_repository_webhook |
Ensure Repository Webhook uses secure Ssl |
Terraform |
1365 |
CKV_GIT_3 |
resource |
github_repository |
Ensure GitHub repository has vulnerability alerts enabled |
Terraform |
1366 |
CKV_GIT_4 |
resource |
github_actions_environment_secret |
Ensure Secrets are encrypted |
Terraform |
1367 |
CKV_GIT_4 |
resource |
github_actions_organization_secret |
Ensure Secrets are encrypted |
Terraform |
1368 |
CKV_GIT_4 |
resource |
github_actions_secret |
Ensure Secrets are encrypted |
Terraform |
1369 |
CKV_GIT_5 |
resource |
github_branch_protection |
Ensure at least two approving reviews for PRs |
Terraform |
1370 |
CKV_GIT_5 |
resource |
github_branch_protection_v3 |
Ensure at least two approving reviews for PRs |
Terraform |
1371 |
CKV_GIT_6 |
resource |
github_branch_protection |
Ensure all commits GPG signed |
Terraform |
1372 |
CKV_GIT_6 |
resource |
github_branch_protection_v3 |
Ensure all commits GPG signed |
Terraform |
1373 |
CKV2_GIT_1 |
resource |
github_repository |
Ensure each Repository has branch protection associated |
Terraform |
1374 |
CKV_GLB_1 |
resource |
gitlab_project |
Ensure at least two approving reviews to merge |
Terraform |
1375 |
CKV_GLB_2 |
resource |
gitlab_branch_protection |
Ensure force push is disabled |
Terraform |
1376 |
CKV_GLB_3 |
resource |
gitlab_project |
Ensure prevent secrets is enabled |
Terraform |
1377 |
CKV_GLB_4 |
resource |
gitlab_project |
Ensure commits are signed |
Terraform |
1378 |
CKV_K8S_1 |
resource |
kubernetes_pod_security_policy |
Do not admit containers wishing to share the host process ID namespace |
Terraform |
1379 |
CKV_K8S_2 |
resource |
kubernetes_pod_security_policy |
Do not admit privileged containers |
Terraform |
1380 |
CKV_K8S_3 |
resource |
kubernetes_pod_security_policy |
Do not admit containers wishing to share the host IPC namespace |
Terraform |
1381 |
CKV_K8S_4 |
resource |
kubernetes_pod_security_policy |
Do not admit containers wishing to share the host network namespace |
Terraform |
1382 |
CKV_K8S_5 |
resource |
kubernetes_pod_security_policy |
Containers should not run with allowPrivilegeEscalation |
Terraform |
1383 |
CKV_K8S_6 |
resource |
kubernetes_pod_security_policy |
Do not admit root containers |
Terraform |
1384 |
CKV_K8S_7 |
resource |
kubernetes_pod_security_policy |
Do not admit containers with the NET_RAW capability |
Terraform |
1385 |
CKV_K8S_8 |
resource |
kubernetes_pod |
Liveness Probe Should be Configured |
Terraform |
1386 |
CKV_K8S_9 |
resource |
kubernetes_pod |
Readiness Probe Should be Configured |
Terraform |
1387 |
CKV_K8S_10 |
resource |
kubernetes_pod |
CPU requests should be set |
Terraform |
1388 |
CKV_K8S_11 |
resource |
kubernetes_pod |
CPU Limits should be set |
Terraform |
1389 |
CKV_K8S_12 |
resource |
kubernetes_pod |
Memory Limits should be set |
Terraform |
1390 |
CKV_K8S_13 |
resource |
kubernetes_pod |
Memory requests should be set |
Terraform |
1391 |
CKV_K8S_14 |
resource |
kubernetes_pod |
Image Tag should be fixed - not latest or blank |
Terraform |
1392 |
CKV_K8S_15 |
resource |
kubernetes_pod |
Image Pull Policy should be Always |
Terraform |
1393 |
CKV_K8S_16 |
resource |
kubernetes_pod |
Do not admit privileged containers |
Terraform |
1394 |
CKV_K8S_17 |
resource |
kubernetes_pod |
Do not admit containers wishing to share the host process ID namespace |
Terraform |
1395 |
CKV_K8S_18 |
resource |
kubernetes_pod |
Do not admit containers wishing to share the host IPC namespace |
Terraform |
1396 |
CKV_K8S_19 |
resource |
kubernetes_pod |
Do not admit containers wishing to share the host network namespace |
Terraform |
1397 |
CKV_K8S_20 |
resource |
kubernetes_pod |
Containers should not run with allowPrivilegeEscalation |
Terraform |
1398 |
CKV_K8S_21 |
resource |
kubernetes_config_map |
The default namespace should not be used |
Terraform |
1399 |
CKV_K8S_21 |
resource |
kubernetes_cron_job |
The default namespace should not be used |
Terraform |
1400 |
CKV_K8S_21 |
resource |
kubernetes_daemonset |
The default namespace should not be used |
Terraform |
1401 |
CKV_K8S_21 |
resource |
kubernetes_deployment |
The default namespace should not be used |
Terraform |
1402 |
CKV_K8S_21 |
resource |
kubernetes_ingress |
The default namespace should not be used |
Terraform |
1403 |
CKV_K8S_21 |
resource |
kubernetes_job |
The default namespace should not be used |
Terraform |
1404 |
CKV_K8S_21 |
resource |
kubernetes_pod |
The default namespace should not be used |
Terraform |
1405 |
CKV_K8S_21 |
resource |
kubernetes_replication_controller |
The default namespace should not be used |
Terraform |
1406 |
CKV_K8S_21 |
resource |
kubernetes_role_binding |
The default namespace should not be used |
Terraform |
1407 |
CKV_K8S_21 |
resource |
kubernetes_secret |
The default namespace should not be used |
Terraform |
1408 |
CKV_K8S_21 |
resource |
kubernetes_service |
The default namespace should not be used |
Terraform |
1409 |
CKV_K8S_21 |
resource |
kubernetes_service_account |
The default namespace should not be used |
Terraform |
1410 |
CKV_K8S_21 |
resource |
kubernetes_stateful_set |
The default namespace should not be used |
Terraform |
1411 |
CKV_K8S_22 |
resource |
kubernetes_pod |
Use read-only filesystem for containers where possible |
Terraform |
1412 |
CKV_K8S_24 |
resource |
kubernetes_pod_security_policy |
Do not allow containers with added capability |
Terraform |
1413 |
CKV_K8S_25 |
resource |
kubernetes_pod |
Minimize the admission of containers with added capability |
Terraform |
1414 |
CKV_K8S_26 |
resource |
kubernetes_pod |
Do not specify hostPort unless absolutely necessary |
Terraform |
1415 |
CKV_K8S_27 |
resource |
kubernetes_daemonset |
Do not expose the docker daemon socket to containers |
Terraform |
1416 |
CKV_K8S_27 |
resource |
kubernetes_deployment |
Do not expose the docker daemon socket to containers |
Terraform |
1417 |
CKV_K8S_27 |
resource |
kubernetes_pod |
Do not expose the docker daemon socket to containers |
Terraform |
1418 |
CKV_K8S_28 |
resource |
kubernetes_pod |
Minimize the admission of containers with the NET_RAW capability |
Terraform |
1419 |
CKV_K8S_29 |
resource |
kubernetes_daemonset |
Apply security context to your pods and containers |
Terraform |
1420 |
CKV_K8S_29 |
resource |
kubernetes_deployment |
Apply security context to your pods and containers |
Terraform |
1421 |
CKV_K8S_29 |
resource |
kubernetes_pod |
Apply security context to your pods and containers |
Terraform |
1422 |
CKV_K8S_30 |
resource |
kubernetes_pod |
Apply security context to your pods and containers |
Terraform |
1423 |
CKV_K8S_32 |
resource |
kubernetes_pod_security_policy |
Ensure default seccomp profile set to docker/default or runtime/default |
Terraform |
1424 |
CKV_K8S_34 |
resource |
kubernetes_pod |
Ensure that Tiller (Helm v2) is not deployed |
Terraform |
1425 |
CKV_K8S_35 |
resource |
kubernetes_pod |
Prefer using secrets as files over secrets as environment variables |
Terraform |
1426 |
CKV_K8S_36 |
resource |
kubernetes_pod_security_policy |
Minimise the admission of containers with capabilities assigned |
Terraform |
1427 |
CKV_K8S_37 |
resource |
kubernetes_pod |
Minimise the admission of containers with capabilities assigned |
Terraform |
1428 |
CKV_K8S_39 |
resource |
kubernetes_pod |
Do not use the CAP_SYS_ADMIN linux capability |
Terraform |
1429 |
CKV_K8S_41 |
resource |
kubernetes_service_account |
Ensure that default service accounts are not actively used |
Terraform |
1430 |
CKV_K8S_42 |
resource |
kubernetes_cluster_role_binding |
Ensure that default service accounts are not actively used |
Terraform |
1431 |
CKV_K8S_42 |
resource |
kubernetes_role_binding |
Ensure that default service accounts are not actively used |
Terraform |
1432 |
CKV_K8S_43 |
resource |
kubernetes_pod |
Image should use digest |
Terraform |
1433 |
CKV_K8S_44 |
resource |
kubernetes_service |
Ensure that the Tiller Service (Helm v2) is deleted |
Terraform |
1434 |
CKV_K8S_49 |
resource |
kubernetes_cluster_role |
Minimize wildcard use in Roles and ClusterRoles |
Terraform |
1435 |
CKV_K8S_49 |
resource |
kubernetes_role |
Minimize wildcard use in Roles and ClusterRoles |
Terraform |
1436 |
CKV_LIN_1 |
provider |
linode |
Ensure no hard coded Linode tokens exist in provider |
Terraform |
1437 |
CKV_LIN_2 |
resource |
linode_instance |
Ensure SSH key set in authorized_keys |
Terraform |
1438 |
CKV_LIN_3 |
resource |
linode_user |
Ensure email is set |
Terraform |
1439 |
CKV_LIN_4 |
resource |
linode_user |
Ensure username is set |
Terraform |
1440 |
CKV_LIN_5 |
resource |
linode_firewall |
Ensure Inbound Firewall Policy is not set to ACCEPT |
Terraform |
1441 |
CKV_LIN_6 |
resource |
linode_firewall |
Ensure Outbound Firewall Policy is not set to ACCEPT |
Terraform |
1442 |
CKV_OCI_1 |
provider |
oci |
Ensure no hard coded OCI private key in provider |
Terraform |
1443 |
CKV_OCI_2 |
resource |
oci_core_volume |
Ensure OCI Block Storage Block Volume has backup enabled |
Terraform |
1444 |
CKV_OCI_3 |
resource |
oci_core_volume |
OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) |
Terraform |
1445 |
CKV_OCI_4 |
resource |
oci_core_instance |
Ensure OCI Compute Instance boot volume has in-transit data encryption enabled |
Terraform |
1446 |
CKV_OCI_5 |
resource |
oci_core_instance |
Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled |
Terraform |
1447 |
CKV_OCI_6 |
resource |
oci_core_instance |
Ensure OCI Compute Instance has monitoring enabled |
Terraform |
1448 |
CKV_OCI_7 |
resource |
oci_objectstorage_bucket |
Ensure OCI Object Storage bucket can emit object events |
Terraform |
1449 |
CKV_OCI_8 |
resource |
oci_objectstorage_bucket |
Ensure OCI Object Storage has versioning enabled |
Terraform |
1450 |
CKV_OCI_9 |
resource |
oci_objectstorage_bucket |
Ensure OCI Object Storage is encrypted with Customer Managed Key |
Terraform |
1451 |
CKV_OCI_10 |
resource |
oci_objectstorage_bucket |
Ensure OCI Object Storage is not Public |
Terraform |
1452 |
CKV_OCI_11 |
resource |
oci_identity_authentication_policy |
OCI IAM password policy - must contain lower case |
Terraform |
1453 |
CKV_OCI_12 |
resource |
oci_identity_authentication_policy |
OCI IAM password policy - must contain Numeric characters |
Terraform |
1454 |
CKV_OCI_13 |
resource |
oci_identity_authentication_policy |
OCI IAM password policy - must contain Special characters |
Terraform |
1455 |
CKV_OCI_14 |
resource |
oci_identity_authentication_policy |
OCI IAM password policy - must contain Uppercase characters |
Terraform |
1456 |
CKV_OCI_15 |
resource |
oci_file_storage_file_system |
Ensure OCI File System is Encrypted with a customer Managed Key |
Terraform |
1457 |
CKV_OCI_16 |
resource |
oci_core_security_list |
Ensure VCN has an inbound security list |
Terraform |
1458 |
CKV_OCI_17 |
resource |
oci_core_security_list |
Ensure VCN inbound security lists are stateless |
Terraform |
1459 |
CKV_OCI_18 |
resource |
oci_identity_authentication_policy |
OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters |
Terraform |
1460 |
CKV_OCI_19 |
resource |
oci_core_security_list |
Ensure no security list allow ingress from 0.0.0.0:0 to port 22. |
Terraform |
1461 |
CKV_OCI_20 |
resource |
oci_core_security_list |
Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. |
Terraform |
1462 |
CKV_OCI_21 |
resource |
oci_core_network_security_group_security_rule |
Ensure security group has stateless ingress security rules |
Terraform |
1463 |
CKV_OCI_22 |
resource |
oci_core_network_security_group_security_rule |
Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 |
Terraform |
1464 |
CKV2_OCI_1 |
resource |
oci_identity_group |
Ensure administrator users are not associated with API keys |
Terraform |
1465 |
CKV2_OCI_1 |
resource |
oci_identity_user |
Ensure administrator users are not associated with API keys |
Terraform |
1466 |
CKV2_OCI_1 |
resource |
oci_identity_user_group_membership |
Ensure administrator users are not associated with API keys |
Terraform |
1467 |
CKV_OPENSTACK_1 |
provider |
openstack |
Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider |
Terraform |
1468 |
CKV_OPENSTACK_2 |
resource |
openstack_compute_secgroup_v2 |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) |
Terraform |
1469 |
CKV_OPENSTACK_2 |
resource |
openstack_networking_secgroup_rule_v2 |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) |
Terraform |
1470 |
CKV_OPENSTACK_3 |
resource |
openstack_compute_secgroup_v2 |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) |
Terraform |
1471 |
CKV_OPENSTACK_3 |
resource |
openstack_networking_secgroup_rule_v2 |
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) |
Terraform |
1472 |
CKV_OPENSTACK_4 |
resource |
openstack_compute_instance_v2 |
Ensure that instance does not use basic credentials |
Terraform |
1473 |
CKV_OPENSTACK_5 |
resource |
openstack_fw_rule_v1 |
Ensure firewall rule set a destination IP |
Terraform |
1474 |
CKV_PAN_1 |
provider |
panos |
Ensure no hard coded PAN-OS credentials exist in provider |
Terraform |
1475 |
CKV_PAN_2 |
resource |
panos_management_profile |
Ensure plain-text management HTTP is not enabled for an Interface Management Profile |
Terraform |
1476 |
CKV_PAN_3 |
resource |
panos_management_profile |
Ensure plain-text management Telnet is not enabled for an Interface Management Profile |
Terraform |
1477 |
CKV_PAN_4 |
resource |
panos_security_policy |
Ensure DSRI is not enabled within security policies |
Terraform |
1478 |
CKV_PAN_4 |
resource |
panos_security_rule_group |
Ensure DSRI is not enabled within security policies |
Terraform |
1479 |
CKV_PAN_5 |
resource |
panos_security_policy |
Ensure security rules do not have ‘applications’ set to ‘any’ |
Terraform |
1480 |
CKV_PAN_5 |
resource |
panos_security_rule_group |
Ensure security rules do not have ‘applications’ set to ‘any’ |
Terraform |
1481 |
CKV_PAN_6 |
resource |
panos_security_policy |
Ensure security rules do not have ‘services’ set to ‘any’ |
Terraform |
1482 |
CKV_PAN_6 |
resource |
panos_security_rule_group |
Ensure security rules do not have ‘services’ set to ‘any’ |
Terraform |
1483 |
CKV_PAN_7 |
resource |
panos_security_policy |
Ensure security rules do not have ‘source_addresses’ and ‘destination_addresses’ both containing values of ‘any’ |
Terraform |
1484 |
CKV_PAN_7 |
resource |
panos_security_rule_group |
Ensure security rules do not have ‘source_addresses’ and ‘destination_addresses’ both containing values of ‘any’ |
Terraform |
1485 |
CKV_PAN_8 |
resource |
panos_security_policy |
Ensure description is populated within security policies |
Terraform |
1486 |
CKV_PAN_8 |
resource |
panos_security_rule_group |
Ensure description is populated within security policies |
Terraform |
1487 |
CKV_PAN_9 |
resource |
panos_security_policy |
Ensure a Log Forwarding Profile is selected for each security policy rule |
Terraform |
1488 |
CKV_PAN_9 |
resource |
panos_security_rule_group |
Ensure a Log Forwarding Profile is selected for each security policy rule |
Terraform |
1489 |
CKV_PAN_10 |
resource |
panos_security_policy |
Ensure logging at session end is enabled within security policies |
Terraform |
1490 |
CKV_PAN_10 |
resource |
panos_security_rule_group |
Ensure logging at session end is enabled within security policies |
Terraform |
1491 |
CKV_PAN_11 |
resource |
panos_ipsec_crypto_profile |
Ensure IPsec profiles do not specify use of insecure encryption algorithms |
Terraform |
1492 |
CKV_PAN_11 |
resource |
panos_panorama_ipsec_crypto_profile |
Ensure IPsec profiles do not specify use of insecure encryption algorithms |
Terraform |
1493 |
CKV_PAN_12 |
resource |
panos_ipsec_crypto_profile |
Ensure IPsec profiles do not specify use of insecure authentication algorithms |
Terraform |
1494 |
CKV_PAN_12 |
resource |
panos_panorama_ipsec_crypto_profile |
Ensure IPsec profiles do not specify use of insecure authentication algorithms |
Terraform |
1495 |
CKV_PAN_13 |
resource |
panos_ipsec_crypto_profile |
Ensure IPsec profiles do not specify use of insecure protocols |
Terraform |
1496 |
CKV_PAN_13 |
resource |
panos_panorama_ipsec_crypto_profile |
Ensure IPsec profiles do not specify use of insecure protocols |
Terraform |
1497 |
CKV_PAN_14 |
resource |
panos_panorama_zone |
Ensure a Zone Protection Profile is defined within Security Zones |
Terraform |
1498 |
CKV_PAN_14 |
resource |
panos_zone |
Ensure a Zone Protection Profile is defined within Security Zones |
Terraform |
1499 |
CKV_PAN_14 |
resource |
panos_zone_entry |
Ensure a Zone Protection Profile is defined within Security Zones |
Terraform |
1500 |
CKV_PAN_15 |
resource |
panos_panorama_zone |
Ensure an Include ACL is defined for a Zone when User-ID is enabled |
Terraform |
1501 |
CKV_PAN_15 |
resource |
panos_zone |
Ensure an Include ACL is defined for a Zone when User-ID is enabled |
Terraform |
1502 |
CKV_YC_1 |
resource |
yandex_mdb_clickhouse_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1503 |
CKV_YC_1 |
resource |
yandex_mdb_elasticsearch_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1504 |
CKV_YC_1 |
resource |
yandex_mdb_greenplum_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1505 |
CKV_YC_1 |
resource |
yandex_mdb_kafka_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1506 |
CKV_YC_1 |
resource |
yandex_mdb_mongodb_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1507 |
CKV_YC_1 |
resource |
yandex_mdb_mysql_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1508 |
CKV_YC_1 |
resource |
yandex_mdb_postgresql_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1509 |
CKV_YC_1 |
resource |
yandex_mdb_redis_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1510 |
CKV_YC_1 |
resource |
yandex_mdb_sqlserver_cluster |
Ensure security group is assigned to database cluster. |
Terraform |
1511 |
CKV_YC_2 |
resource |
yandex_compute_instance |
Ensure compute instance does not have public IP. |
Terraform |
1512 |
CKV_YC_3 |
resource |
yandex_storage_bucket |
Ensure storage bucket is encrypted. |
Terraform |
1513 |
CKV_YC_4 |
resource |
yandex_compute_instance |
Ensure compute instance does not have serial console enabled. |
Terraform |
1514 |
CKV_YC_5 |
resource |
yandex_kubernetes_cluster |
Ensure Kubernetes cluster does not have public IP address. |
Terraform |
1515 |
CKV_YC_6 |
resource |
yandex_kubernetes_node_group |
Ensure Kubernetes cluster node group does not have public IP addresses. |
Terraform |
1516 |
CKV_YC_7 |
resource |
yandex_kubernetes_cluster |
Ensure Kubernetes cluster auto-upgrade is enabled. |
Terraform |
1517 |
CKV_YC_8 |
resource |
yandex_kubernetes_node_group |
Ensure Kubernetes node group auto-upgrade is enabled. |
Terraform |
1518 |
CKV_YC_9 |
resource |
yandex_kms_symmetric_key |
Ensure KMS symmetric key is rotated. |
Terraform |
1519 |
CKV_YC_10 |
resource |
yandex_kubernetes_cluster |
Ensure etcd database is encrypted with KMS key. |
Terraform |
1520 |
CKV_YC_11 |
resource |
yandex_compute_instance |
Ensure security group is assigned to network interface. |
Terraform |
1521 |
CKV_YC_12 |
resource |
yandex_mdb_clickhouse_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1522 |
CKV_YC_12 |
resource |
yandex_mdb_elasticsearch_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1523 |
CKV_YC_12 |
resource |
yandex_mdb_greenplum_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1524 |
CKV_YC_12 |
resource |
yandex_mdb_kafka_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1525 |
CKV_YC_12 |
resource |
yandex_mdb_mongodb_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1526 |
CKV_YC_12 |
resource |
yandex_mdb_mysql_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1527 |
CKV_YC_12 |
resource |
yandex_mdb_postgresql_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1528 |
CKV_YC_12 |
resource |
yandex_mdb_sqlserver_cluster |
Ensure public IP is not assigned to database cluster. |
Terraform |
1529 |
CKV_YC_13 |
resource |
yandex_resourcemanager_cloud_iam_binding |
Ensure cloud member does not have elevated access. |
Terraform |
1530 |
CKV_YC_13 |
resource |
yandex_resourcemanager_cloud_iam_member |
Ensure cloud member does not have elevated access. |
Terraform |
1531 |
CKV_YC_14 |
resource |
yandex_kubernetes_cluster |
Ensure security group is assigned to Kubernetes cluster. |
Terraform |
1532 |
CKV_YC_15 |
resource |
yandex_kubernetes_node_group |
Ensure security group is assigned to Kubernetes node group. |
Terraform |
1533 |
CKV_YC_16 |
resource |
yandex_kubernetes_cluster |
Ensure network policy is assigned to Kubernetes cluster. |
Terraform |
1534 |
CKV_YC_17 |
resource |
yandex_storage_bucket |
Ensure storage bucket does not have public access permissions. |
Terraform |
1535 |
CKV_YC_18 |
resource |
yandex_compute_instance_group |
Ensure compute instance group does not have public IP. |
Terraform |
1536 |
CKV_YC_19 |
resource |
yandex_vpc_security_group |
Ensure security group does not contain allow-all rules. |
Terraform |
1537 |
CKV_YC_20 |
resource |
yandex_vpc_security_group_rule |
Ensure security group rule is not allow-all. |
Terraform |
1538 |
CKV_YC_21 |
resource |
yandex_organizationmanager_organization_iam_binding |
Ensure organization member does not have elevated access. |
Terraform |
1539 |
CKV_YC_21 |
resource |
yandex_organizationmanager_organization_iam_member |
Ensure organization member does not have elevated access. |
Terraform |
1540 |
CKV_YC_22 |
resource |
yandex_compute_instance_group |
Ensure compute instance group has security group assigned. |
Terraform |
1541 |
CKV_YC_23 |
resource |
yandex_resourcemanager_folder_iam_binding |
Ensure folder member does not have elevated access. |
Terraform |
1542 |
CKV_YC_23 |
resource |
yandex_resourcemanager_folder_iam_member |
Ensure folder member does not have elevated access. |
Terraform |
1543 |
CKV_YC_24 |
resource |
yandex_organizationmanager_organization_iam_binding |
Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. |
Terraform |
1544 |
CKV_YC_24 |
resource |
yandex_organizationmanager_organization_iam_member |
Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. |
Terraform |
1545 |
CKV_YC_24 |
resource |
yandex_resourcemanager_cloud_iam_binding |
Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. |
Terraform |
1546 |
CKV_YC_24 |
resource |
yandex_resourcemanager_cloud_iam_member |
Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. |
Terraform |
1547 |
CKV_YC_24 |
resource |
yandex_resourcemanager_folder_iam_binding |
Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. |
Terraform |
1548 |
CKV_YC_24 |
resource |
yandex_resourcemanager_folder_iam_member |
Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. |
Terraform |