TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.
TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
- Where to get help: the Bridgecrew Community Slack
Before you proceed please take a note of these warnings:
⚠️ TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.
- Terraform 0.12
- aws cli
- azure cli
To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.
You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment
.
export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region="us-west-2"
aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
--region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region
# Enable versioning
aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled
# Enable encryption
aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms"
}
}
]
}'
cd terraform/aws/
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform apply
terraform destroy
cd terraform/aws/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform apply -auto-approve
done
cd terraform/aws/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform destroy -auto-approve
done
You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment
.
export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG"
export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa"
export TERRAGOAT_STATE_CONTAINER="mydevsecops"
export TF_VAR_environment="dev"
export TF_VAR_region="westus"
# Create resource group
az group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP
# Create storage account
az storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob
# Get storage account key
ACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)
# Create blob container
az storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY
cd terraform/azure/
terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \
-backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \
-backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \
-backend-config "key=$TF_VAR_environment.terraform.tfstate"
terraform apply
terraform destroy
You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment
.
To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:
- Sign into your GCP project, go to
IAM
>Service Accounts
. - Click the
CREATE SERVICE ACCOUNT
. - Give a name to your service account (for example -
terragoat
) and clickCREATE
. - Grant the Service Account the
Project
>Editor
role and clickCONTINUE
. - Click
DONE
.
To create the credentials:
- Sign into your GCP project, go to
IAM
>Service Accounts
and click on the relevant Service Account. - Click
ADD KEY
>Create new key
>JSON
and clickCREATE
. This will create a.json
file and download it to your computer.
We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json
), and storing the resulting JSON file inside terraform/gcp
directory of terragoat.
Once the credentials are set up, create the BE configuration as follows:
export TF_VAR_environment="dev"
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=<YOUR_PROJECT_NAME_HERE>
# Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}
cd terraform/gcp/
terraform init -reconfigure -backend-config="bucket=$TF_TERRAGOAT_STATE_BUCKET" \
-backend-config "credentials=$TF_VAR_credentials_path" \
-backend-config "prefix=terragoat/${TF_VAR_environment}"
terraform apply
terraform destroy
- CfnGoat - Vulnerable by design Cloudformation template
- TerraGoat - Vulnerable by design Terraform stack
- CDKGoat - Vulnerable by design CDK application
- kustomizegoat - Vulnerable by design kustomize deployment
Contribution is welcomed!
We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.
Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.
If you need direct support you can contact us at info@bridgecrew.io.
check_id | file | resource | check_name | guideline | |
---|---|---|---|---|---|
0 | CKV_ALI_10 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket has versioning enabled | |
1 | CKV_ALI_12 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure the OSS bucket has access logging enabled | |
2 | CKV_ALI_11 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket has transfer Acceleration enabled | |
3 | CKV_ALI_1 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Alibaba Cloud OSS bucket accessible to public | |
4 | CKV_ALI_6 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket is encrypted with Customer Master Key | |
5 | CKV_ALI_36 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_disconnections enabled | |
6 | CKV_ALI_37 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_connections enabled | |
7 | CKV_ALI_34 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance is set to auto upgrade minor versions | |
8 | CKV_ALI_20 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance uses SSL | |
9 | CKV_ALI_30 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance auto upgrades for minor versions | |
10 | CKV_ALI_35 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_duration enabled | |
11 | CKV_ALI_9 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure database instance is not public | |
12 | CKV_ALI_25 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | |
13 | CKV_ALI_4 | /alicloud/trail.tf | alicloud_actiontrail_trail.fail | Ensure Action Trail Logging for all regions | |
14 | CKV_ALI_5 | /alicloud/trail.tf | alicloud_actiontrail_trail.fail | Ensure Action Trail Logging for all events | |
15 | CKV_ALI_10 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket has versioning enabled | |
16 | CKV_ALI_12 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure the OSS bucket has access logging enabled | |
17 | CKV_ALI_11 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket has transfer Acceleration enabled | |
18 | CKV_ALI_6 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket is encrypted with Customer Master Key | |
19 | CKV_AWS_157 | /aws/db-app.tf | aws_db_instance.default | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 |
20 | CKV_AWS_161 | /aws/db-app.tf | aws_db_instance.default | Ensure RDS database has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-database-has-iam-authentication-enabled |
21 | CKV_AWS_16 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 |
22 | CKV_AWS_226 | /aws/db-app.tf | aws_db_instance.default | Ensure DB instance gets all minor upgrades automatically | |
23 | CKV_AWS_17 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 |
24 | CKV_AWS_118 | /aws/db-app.tf | aws_db_instance.default | Ensure that enhanced monitoring is enabled for Amazon RDS instances | https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances |
25 | CKV_AWS_129 | /aws/db-app.tf | aws_db_instance.default | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | https://docs.bridgecrew.io/docs/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled |
26 | CKV_AWS_133 | /aws/db-app.tf | aws_db_instance.default | Ensure that RDS instances has backup policy | https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy |
27 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group.default | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
28 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group_rule.ingress | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
29 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group_rule.egress | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
30 | CKV_AWS_79 | /aws/db-app.tf | aws_instance.db_app | Ensure Instance Metadata Service Version 1 is not enabled | https://docs.bridgecrew.io/docs/bc_aws_general_31 |
31 | CKV_AWS_135 | /aws/db-app.tf | aws_instance.db_app | Ensure that EC2 is EBS optimized | https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized |
32 | CKV_AWS_8 | /aws/db-app.tf | aws_instance.db_app | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | https://docs.bridgecrew.io/docs/general_13 |
33 | CKV_AWS_126 | /aws/db-app.tf | aws_instance.db_app | Ensure that detailed monitoring is enabled for EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances |
34 | CKV_AWS_79 | /aws/ec2.tf | aws_instance.web_host | Ensure Instance Metadata Service Version 1 is not enabled | https://docs.bridgecrew.io/docs/bc_aws_general_31 |
35 | CKV_AWS_135 | /aws/ec2.tf | aws_instance.web_host | Ensure that EC2 is EBS optimized | https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized |
36 | CKV_AWS_8 | /aws/ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | https://docs.bridgecrew.io/docs/general_13 |
37 | CKV_AWS_46 | /aws/ec2.tf | aws_instance.web_host | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 |
38 | CKV_AWS_126 | /aws/ec2.tf | aws_instance.web_host | Ensure that detailed monitoring is enabled for EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances |
39 | CKV_AWS_3 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume |
40 | CKV_AWS_189 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_109 |
41 | CKV_AWS_23 | /aws/ec2.tf | aws_security_group.web-node | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
42 | CKV_AWS_260 | /aws/ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | |
43 | CKV_AWS_24 | /aws/ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security |
44 | CKV_AWS_130 | /aws/ec2.tf | aws_subnet.web_subnet | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
45 | CKV_AWS_130 | /aws/ec2.tf | aws_subnet.web_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
46 | CKV_AWS_136 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure that ECR repositories are encrypted using KMS | https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted |
47 | CKV_AWS_51 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR Image Tags are immutable | https://docs.bridgecrew.io/docs/bc_aws_general_24 |
48 | CKV_AWS_163 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR image scanning on push is enabled | https://docs.bridgecrew.io/docs/general_8 |
49 | CKV_AWS_130 | /aws/eks.tf | aws_subnet.eks_subnet1 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
50 | CKV_AWS_130 | /aws/eks.tf | aws_subnet.eks_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
51 | CKV_AWS_39 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint disabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_2 |
52 | CKV_AWS_38 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_1 |
53 | CKV_AWS_37 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_4 |
54 | CKV_AWS_58 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 |
55 | CKV_AWS_127 | /aws/elb.tf | aws_elb.weblb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | https://docs.bridgecrew.io/docs/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager |
56 | CKV_AWS_92 | /aws/elb.tf | aws_elb.weblb | Ensure the ELB has access logging enabled | https://docs.bridgecrew.io/docs/bc_aws_logging_23 |
57 | CKV_AWS_111 | /aws/es.tf | aws_iam_policy_document.policy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |
58 | CKV_AWS_109 | /aws/es.tf | aws_iam_policy_document.policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint |
59 | CKV_AWS_137 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure that Elasticsearch is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-elasticsearch-is-configured-inside-a-vpc |
60 | CKV_AWS_247 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is encrypted with a CMK | |
61 | CKV_AWS_248 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure that Elasticsearch is not using the default Security Group | |
62 | CKV_AWS_228 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Verify Elasticsearch domain is using an up to date TLS policy | |
63 | CKV_AWS_84 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure Elasticsearch Domain Logging is enabled | https://docs.bridgecrew.io/docs/elasticsearch_7 |
64 | CKV_AWS_5 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is securely encrypted at rest | https://docs.bridgecrew.io/docs/elasticsearch_3-enable-encryptionatrest |
65 | CKV_AWS_7 | /aws/kms.tf | aws_kms_key.logs_key | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 |
66 | CKV_AWS_115 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit |
67 | CKV_AWS_45 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 |
68 | CKV_AWS_50 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | X-ray tracing is enabled for Lambda | https://docs.bridgecrew.io/docs/bc_aws_serverless_4 |
69 | CKV_AWS_117 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 |
70 | CKV_AWS_173 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Check encryption settings for Lambda environmental variable | https://docs.bridgecrew.io/docs/bc_aws_serverless_5 |
71 | CKV_AWS_116 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq |
72 | CKV_AWS_44 | /aws/neptune.tf | aws_neptune_cluster.default | Ensure Neptune storage is securely encrypted | https://docs.bridgecrew.io/docs/general_18 |
73 | CKV_AWS_101 | /aws/neptune.tf | aws_neptune_cluster.default | Ensure Neptune logging is enabled | https://docs.bridgecrew.io/docs/bc_aws_logging_24 |
74 | CKV_AWS_41 | /aws/providers.tf | aws.plain_text_access_keys_provider | Ensure no hard coded AWS access key and secret key exists in provider | https://docs.bridgecrew.io/docs/bc_aws_secrets_5 |
75 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
76 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
77 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
78 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
79 | CKV_AWS_133 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS instances has backup policy | https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy |
80 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
81 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
82 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
83 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
84 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
85 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
86 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
87 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
88 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
89 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
90 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
91 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
92 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
93 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
94 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
95 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
96 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
97 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
98 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
99 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
100 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
101 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
102 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
103 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
104 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
105 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
106 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
107 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
108 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
109 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
110 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
111 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
112 | CKV_AWS_186 | /aws/s3.tf | aws_s3_bucket_object.data_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_106 |
113 | CKV_AZURE_116 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses Azure Policies Add-on | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-azure-policies-add-on |
114 | CKV_AZURE_8 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure Kubernetes Dashboard is disabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5 |
115 | CKV_AZURE_4 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS logging to Azure Monitoring is Configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1 |
116 | CKV_AZURE_117 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses disk encryption set | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-disk-encryption-set |
117 | CKV_AZURE_115 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS enables private clusters | https://docs.bridgecrew.io/docs/ensure-that-aks-enables-private-clusters |
118 | CKV_AZURE_141 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS local admin account is disabled | |
119 | CKV_AZURE_7 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS cluster has Network Policy configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4 |
120 | CKV_AZURE_6 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3 |
121 | CKV_AZURE_5 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure RBAC is enabled on AKS clusters | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2 |
122 | CKV_AZURE_15 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_networking_6 |
123 | CKV_AZURE_78 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure FTP deployments are disabled | https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled |
124 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that 'HTTP Version' is the latest if used to run the web app | https://docs.bridgecrew.io/docs/bc_azr_networking_8 |
125 | CKV_AZURE_88 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that app services use Azure Files | https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files |
126 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure App Service Authentication is set on Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_general_2 |
127 | CKV_AZURE_71 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that Managed identity provider is enabled for app services | https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services |
128 | CKV_AZURE_80 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app |
129 | CKV_AZURE_65 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables detailed error messages | https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages |
130 | CKV_AZURE_63 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables HTTP logging | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging |
131 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | https://docs.bridgecrew.io/docs/bc_azr_networking_7 |
132 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that Register with Azure Active Directory is enabled on App Service | https://docs.bridgecrew.io/docs/bc_azr_iam_1 |
133 | CKV_AZURE_66 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables failed request tracing | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing |
134 | CKV_AZURE_14 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_networking_5 |
135 | CKV_AZURE_78 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure FTP deployments are disabled | https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled |
136 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that 'HTTP Version' is the latest if used to run the web app | https://docs.bridgecrew.io/docs/bc_azr_networking_8 |
137 | CKV_AZURE_88 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that app services use Azure Files | https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files |
138 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure App Service Authentication is set on Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_general_2 |
139 | CKV_AZURE_71 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that Managed identity provider is enabled for app services | https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services |
140 | CKV_AZURE_80 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app |
141 | CKV_AZURE_65 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables detailed error messages | https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages |
142 | CKV_AZURE_63 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables HTTP logging | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging |
143 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | https://docs.bridgecrew.io/docs/bc_azr_networking_7 |
144 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that Register with Azure Active Directory is enabled on App Service | https://docs.bridgecrew.io/docs/bc_azr_iam_1 |
145 | CKV_AZURE_66 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables failed request tracing | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing |
146 | CKV_AZURE_1 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | https://docs.bridgecrew.io/docs/bc_azr_networking_1 |
147 | CKV_AZURE_50 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure Virtual Machine Extensions are not Installed | https://docs.bridgecrew.io/docs/bc_azr_general_14 |
148 | CKV_AZURE_149 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure that Virtual machine does not enable password authentication | |
149 | CKV_AZURE_151 | /azure/instance.tf | azurerm_windows_virtual_machine.windows_machine | Ensure Windows VM enables encryption | |
150 | CKV_AZURE_50 | /azure/instance.tf | azurerm_windows_virtual_machine.windows_machine | Ensure Virtual Machine Extensions are not Installed | https://docs.bridgecrew.io/docs/bc_azr_general_14 |
151 | CKV_AZURE_109 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure that key vault allows firewall rules settings | https://docs.bridgecrew.io/docs/ensure-that-key-vault-allows-firewall-rules-settings |
152 | CKV_AZURE_42 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure the key vault is recoverable | https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable |
153 | CKV_AZURE_110 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure that key vault enables purge protection | https://docs.bridgecrew.io/docs/ensure-that-key-vault-enables-purge-protection |
154 | CKV_AZURE_112 | /azure/key_vault.tf | azurerm_key_vault_key.generated | Ensure that key vault key is backed by HSM | https://docs.bridgecrew.io/docs/ensure-that-key-vault-key-is-backed-by-hsm |
155 | CKV_AZURE_40 | /azure/key_vault.tf | azurerm_key_vault_key.generated | Ensure that the expiration date is set on all keys | https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-keys |
156 | CKV_AZURE_114 | /azure/key_vault.tf | azurerm_key_vault_secret.secret | Ensure that key vault secrets have "content_type" set | https://docs.bridgecrew.io/docs/ensure-that-key-vault-secrets-have-content_type-set |
157 | CKV_AZURE_41 | /azure/key_vault.tf | azurerm_key_vault_secret.secret | Ensure that the expiration date is set on all secrets | https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets |
158 | CKV_AZURE_38 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure audit profile captures all the activities | https://docs.bridgecrew.io/docs/ensure-audit-profile-captures-all-activities |
159 | CKV_AZURE_37 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure that Activity Log Retention is set 365 days or greater | https://docs.bridgecrew.io/docs/set-activity-log-retention-to-365-days-or-greater |
160 | CKV_AZURE_35 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure default network access rule for Storage Accounts is set to deny | https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny |
161 | CKV_AZURE_33 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service |
162 | CKV_AZURE_44 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure Storage Account is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_storage_2 |
163 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
164 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
165 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
166 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
167 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
168 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
169 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
170 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
171 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
172 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
173 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
174 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
175 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
176 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
177 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy1 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
178 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy1 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
179 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy2 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
180 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy2 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
181 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy3 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
182 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy3 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
183 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy4 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
184 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy4 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
185 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
186 | CKV_AZURE_26 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Send Alerts To' is enabled for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_7 |
187 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
188 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy6 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
189 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy6 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
190 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy7 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
191 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy7 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
192 | CKV_AZURE_10 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that SSH access is restricted from the internet | https://docs.bridgecrew.io/docs/bc_azr_networking_3 |
193 | CKV_AZURE_9 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that RDP access is restricted from the internet | https://docs.bridgecrew.io/docs/bc_azr_networking_2 |
194 | CKV_AZURE_12 | /azure/networking.tf | azurerm_network_watcher_flow_log.flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | https://docs.bridgecrew.io/docs/bc_azr_logging_1 |
195 | CKV_AZURE_39 | /azure/roles.tf | azurerm_role_definition.example | Ensure that no custom subscription owner roles are created | https://docs.bridgecrew.io/docs/do-not-create-custom-subscription-owner-roles |
196 | CKV_AZURE_19 | /azure/security_center.tf | azurerm_security_center_subscription_pricing.pricing | Ensure that standard pricing tier is selected | https://docs.bridgecrew.io/docs/ensure-standard-pricing-tier-is-selected |
197 | CKV_AZURE_20 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that security contact 'Phone number' is set | https://docs.bridgecrew.io/docs/bc_azr_general_3 |
198 | CKV_AZURE_22 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | https://docs.bridgecrew.io/docs/bc_azr_general_5 |
199 | CKV_AZURE_21 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | https://docs.bridgecrew.io/docs/bc_azr_general_4 |
200 | CKV_AZURE_25 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
201 | CKV_AZURE_26 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Send Alerts To' is enabled for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_7 |
202 | CKV_AZURE_27 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
203 | CKV_AZURE_127 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that My SQL server enables Threat detection policy | https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-threat-detection-policy |
204 | CKV_AZURE_94 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that My SQL server enables geo-redundant backups | https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-geo-redundant-backups |
205 | CKV_AZURE_53 | /azure/sql.tf | azurerm_mysql_server.example | Ensure 'public network access enabled' is set to 'False' for mySQL servers | https://docs.bridgecrew.io/docs/ensure-public-network-access-enabled-is-set-to-false-for-mysql-servers |
206 | CKV_AZURE_54 | /azure/sql.tf | azurerm_mysql_server.example | Ensure MySQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mysql-is-using-the-latest-version-of-tls-encryption |
207 | CKV_AZURE_28 | /azure/sql.tf | azurerm_mysql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_9 |
208 | CKV_AZURE_147 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure PostgreSQL is using the latest version of TLS encryption | |
209 | CKV_AZURE_130 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables infrastructure encryption | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-infrastructure-encryption |
210 | CKV_AZURE_29 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_10 |
211 | CKV_AZURE_128 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables Threat detection policy | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-threat-detection-policy |
212 | CKV_AZURE_102 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables geo-redundant backups | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-geo-redundant-backups |
213 | CKV_AZURE_68 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-disables-public-network-access |
214 | CKV_AZURE_32 | /azure/sql.tf | azurerm_postgresql_configuration.thrtottling_config | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_13 |
215 | CKV_AZURE_30 | /azure/sql.tf | azurerm_postgresql_configuration.example | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_11 |
216 | CKV_AZURE_2 | /azure/storage.tf | azurerm_managed_disk.example | Ensure Azure managed disk has encryption enabled | https://docs.bridgecrew.io/docs/bc_azr_general_1 |
217 | CKV_AZURE_93 | /azure/storage.tf | azurerm_managed_disk.example | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | https://docs.bridgecrew.io/docs/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption |
218 | CKV_AZURE_35 | /azure/storage.tf | azurerm_storage_account.example | Ensure default network access rule for Storage Accounts is set to deny | https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny |
219 | CKV_AZURE_3 | /azure/storage.tf | azurerm_storage_account.example | Ensure that 'Secure transfer required' is set to 'Enabled' | |
220 | CKV_AZURE_33 | /azure/storage.tf | azurerm_storage_account.example | Ensure Storage logging is enabled for Queue service for read, write and delete requests | https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service |
221 | CKV_AZURE_44 | /azure/storage.tf | azurerm_storage_account.example | Ensure Storage Account is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_storage_2 |
222 | CKV_AZURE_36 | /azure/storage.tf | azurerm_storage_account_network_rules.test | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access |
223 | CKV_GCP_6 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | https://docs.bridgecrew.io/docs/bc_gcp_general_1 |
224 | CKV_GCP_11 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure that Cloud SQL database Instances are not open to the world | https://docs.bridgecrew.io/docs/bc_gcp_networking_4 |
225 | CKV_GCP_79 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure SQL database is using latest Major version | |
226 | CKV_GCP_60 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure Cloud SQL database does not have public IP | https://docs.bridgecrew.io/docs/bc_gcp_sql_11 |
227 | CKV_GCP_14 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure all Cloud SQL database instance have backup configuration enabled | https://docs.bridgecrew.io/docs/bc_gcp_general_2 |
228 | CKV_GCP_15 | /gcp/big_data.tf | google_bigquery_dataset.dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | https://docs.bridgecrew.io/docs/bc_gcp_general_3 |
229 | CKV_GCP_81 | /gcp/big_data.tf | google_bigquery_dataset.dataset | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | |
230 | CKV_GCP_62 | /gcp/gcs.tf | google_storage_bucket.terragoat_website | Bucket should log access | https://docs.bridgecrew.io/docs/bc_gcp_logging_2 |
231 | CKV_GCP_78 | /gcp/gcs.tf | google_storage_bucket.terragoat_website | Ensure Cloud storage has versioning enabled | |
232 | CKV_GCP_29 | /gcp/gcs.tf | google_storage_bucket.terragoat_website | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | https://docs.bridgecrew.io/docs/bc_gcp_gcs_2 |
233 | CKV_GCP_28 | /gcp/gcs.tf | google_storage_bucket_iam_binding.allow_public_read | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | https://docs.bridgecrew.io/docs/bc_gcp_public_1 |
234 | CKV_GCP_70 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure the GKE Release Channel is set | https://docs.bridgecrew.io/docs/ensure-the-gke-release-channel-is-set |
235 | CKV_GCP_69 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure the GKE Metadata Server is Enabled | https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled |
236 | CKV_GCP_67 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | https://docs.bridgecrew.io/docs/ensure-legacy-compute-engine-instance-metadata-apis-are-disabled |
237 | CKV_GCP_19 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure GKE basic auth is disabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_11 |
238 | CKV_GCP_21 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Kubernetes Clusters are configured with Labels | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_13 |
239 | CKV_GCP_66 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure use of Binary Authorization | https://docs.bridgecrew.io/docs/ensure-use-of-binary-authorization |
240 | CKV_GCP_61 | /gcp/gke.tf | google_container_cluster.workload_cluster | Enable VPC Flow Logs and Intranode Visibility | https://docs.bridgecrew.io/docs/enable-vpc-flow-logs-and-intranode-visibility |
241 | CKV_GCP_25 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_6 |
242 | CKV_GCP_1 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_1 |
243 | CKV_GCP_18 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure GKE Control Plane is not public | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_10 |
244 | CKV_GCP_64 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure clusters are created with Private Nodes | https://docs.bridgecrew.io/docs/ensure-clusters-are-created-with-private-nodes |
245 | CKV_GCP_13 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_8 |
246 | CKV_GCP_12 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_7 |
247 | CKV_GCP_65 | /gcp/gke.tf | google_container_cluster.workload_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | https://docs.bridgecrew.io/docs/manage-kubernetes-rbac-users-with-google-groups-for-gke |
248 | CKV_GCP_24 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_9 |
249 | CKV_GCP_7 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_2 |
250 | CKV_GCP_23 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_15 |
251 | CKV_GCP_8 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_3 |
252 | CKV_GCP_68 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | https://docs.bridgecrew.io/docs/ensure-secure-boot-for-shielded-gke-nodes-is-enabled |
253 | CKV_GCP_22 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_14 |
254 | CKV_GCP_69 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure the GKE Metadata Server is Enabled | https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled |
255 | CKV_GCP_9 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_4 |
256 | CKV_GCP_10 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_5 |
257 | CKV_GCP_38 | /gcp/instances.tf | google_compute_instance.server | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | https://docs.bridgecrew.io/docs/encrypt-boot-disks-for-instances-with-cseks |
258 | CKV_GCP_35 | /gcp/instances.tf | google_compute_instance.server | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | https://docs.bridgecrew.io/docs/bc_gcp_networking_11 |
259 | CKV_GCP_40 | /gcp/instances.tf | google_compute_instance.server | Ensure that Compute instances do not have public IP addresses | https://docs.bridgecrew.io/docs/bc_gcp_public_2 |
260 | CKV_GCP_34 | /gcp/instances.tf | google_compute_instance.server | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | https://docs.bridgecrew.io/docs/bc_gcp_networking_10 |
261 | CKV_GCP_30 | /gcp/instances.tf | google_compute_instance.server | Ensure that instances are not configured to use the default service account | https://docs.bridgecrew.io/docs/bc_gcp_iam_1 |
262 | CKV_GCP_36 | /gcp/instances.tf | google_compute_instance.server | Ensure that IP forwarding is not enabled on Instances | https://docs.bridgecrew.io/docs/bc_gcp_networking_12 |
263 | CKV_GCP_32 | /gcp/instances.tf | google_compute_instance.server | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | https://docs.bridgecrew.io/docs/bc_gcp_networking_8 |
264 | CKV_GCP_39 | /gcp/instances.tf | google_compute_instance.server | Ensure Compute instances are launched with Shielded VM enabled | https://docs.bridgecrew.io/docs/bc_gcp_general_y |
265 | CKV_GCP_37 | /gcp/instances.tf | google_compute_disk.unencrypted_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | https://docs.bridgecrew.io/docs/bc_gcp_general_x |
266 | CKV_GCP_74 | /gcp/networks.tf | google_compute_subnetwork.public-subnetwork | Ensure that private_ip_google_access is enabled for Subnet | |
267 | CKV_GCP_26 | /gcp/networks.tf | google_compute_subnetwork.public-subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | https://docs.bridgecrew.io/docs/bc_gcp_logging_1 |
268 | CKV_GCP_76 | /gcp/networks.tf | google_compute_subnetwork.public-subnetwork | Ensure that Private google access is enabled for IPV6 | |
269 | CKV_GCP_88 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted mysql access | |
270 | CKV_GCP_106 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | |
271 | CKV_GCP_77 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow on ftp port | |
272 | CKV_GCP_3 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted rdp access | https://docs.bridgecrew.io/docs/bc_gcp_networking_2 |
273 | CKV_GCP_75 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted FTP access | |
274 | CKV_GCP_2 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted ssh access | https://docs.bridgecrew.io/docs/bc_gcp_networking_1 |
275 | CKV_OCI_9 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage is encrypted with Customer Managed Key | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-encrypted-with-customer-managed-key |
276 | CKV_OCI_8 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage has versioning enabled | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-has-versioning-enabled |
277 | CKV_OCI_7 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage bucket can emit object events | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-bucket-can-emit-object-events |
278 | CKV_OCI_10 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage is not Public | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-not-public |
279 | CKV2_AWS_12 | /aws/eks.tf | aws_vpc.eks_vpc | Ensure the default security group of every VPC restricts all traffic | https://docs.bridgecrew.io/docs/networking_4 |
280 | CKV2_AWS_12 | /aws/ec2.tf | aws_vpc.web_vpc | Ensure the default security group of every VPC restricts all traffic | https://docs.bridgecrew.io/docs/networking_4 |
281 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
282 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
283 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
284 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
285 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
286 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
287 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
288 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
289 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
290 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.financials | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
291 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
292 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.data | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
293 | CKV_AWS_145 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
294 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.operations | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
295 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.financials | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
296 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.data | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
297 | CKV_AWS_18 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
298 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.operations | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
299 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.logs | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
300 | CKV2_AWS_11 | /aws/eks.tf | aws_vpc.eks_vpc | Ensure VPC flow logging is enabled in all VPCs | https://docs.bridgecrew.io/docs/logging_9-enable-vpc-flow-logging |
301 | CKV2_AWS_2 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure that only encrypted EBS volumes are attached to EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances |
302 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.financials | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
303 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
304 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.data | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
305 | CKV2_AWS_6 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
306 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.operations | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
307 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.logs | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
308 | CKV_AWS_21 | /aws/s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
309 | CKV_AWS_21 | /aws/s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
310 | CKV_AWS_21 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
311 | CKV2_AZURE_7 | /azure/sql.tf | azurerm_sql_server.example | Ensure that Azure Active Directory Admin is configured | https://docs.bridgecrew.io/docs/ensure-that-azure-active-directory-admin-is-configured |
312 | CKV2_AZURE_1 | /azure/storage.tf | azurerm_storage_account.example | Ensure storage for critical data are encrypted with Customer Managed Key | https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key |
313 | CKV2_AZURE_1 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key |
314 | CKV2_AZURE_16 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that MySQL server enables customer-managed key for encryption | https://docs.bridgecrew.io/docs/ensure-that-mysql-server-enables-customer-managed-key-for-encryption |
315 | CKV_AZURE_120 | /azure/application_gateway.tf | azurerm_application_gateway.network | Ensure that Application Gateway enables WAF | https://docs.bridgecrew.io/docs/ensure-that-application-gateway-enables-waf |
316 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.financials | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
317 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
318 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.data | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
319 | CKV_AWS_144 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
320 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.operations | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
321 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.logs | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
322 | CKV2_AZURE_18 | /azure/storage.tf | azurerm_storage_account.example | Ensure that Storage Accounts use customer-managed key for encryption | https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption |
323 | CKV2_AZURE_18 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption |
324 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
325 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
326 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
327 | CKV_AWS_19 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
328 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.operations | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
329 | CKV_AZURE_24 | /azure/sql.tf | azurerm_sql_server.example | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
330 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
331 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
332 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
333 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
334 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
335 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
336 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
337 | CKV_AZURE_23 | /azure/sql.tf | azurerm_sql_server.example | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
338 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
339 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
340 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
341 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
342 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
343 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
344 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
check_id | file | resource | check_name | guideline | |
---|---|---|---|---|---|
0 | CKV_DOCKER_3 | /aws/resources/Dockerfile | /aws/resources/Dockerfile. | Ensure that a user for the container has been created | https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created |
1 | CKV_DOCKER_2 | /aws/resources/Dockerfile | /aws/resources/Dockerfile. | Ensure that HEALTHCHECK instructions have been added to container images | https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images |
check_id | file | resource | check_name | guideline | |
---|---|---|---|---|---|
0 | CKV_SECRET_2 | /aws/lambda.tf | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.bridgecrew.io/docs/git_secrets_2 |
1 | CKV_SECRET_6 | /aws/lambda.tf | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |
2 | CKV_SECRET_2 | /aws/providers.tf | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.bridgecrew.io/docs/git_secrets_2 |
3 | CKV_SECRET_6 | /aws/providers.tf | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |
4 | CKV_SECRET_6 | /azure/sql.tf | a57ae0fe47084bc8a05f69f3f8083896f8b437b0 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |