-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathchecks.txt
2008 lines (2006 loc) · 740 KB
/
checks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
| | Id | Type | Entity | Policy | IaC |
|------|------------------------|----------------------------------|------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|
| 0 | CKV_ALI_1 | resource | alicloud_oss_bucket | Alibaba Cloud OSS bucket accessible to public | Terraform |
| 1 | CKV_ALI_2 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform |
| 2 | CKV_ALI_3 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform |
| 3 | CKV_ALI_4 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all regions | Terraform |
| 4 | CKV_ALI_5 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all events | Terraform |
| 5 | CKV_ALI_6 | resource | alicloud_oss_bucket | Ensure OSS bucket is encrypted with Customer Master Key | Terraform |
| 6 | CKV_ALI_7 | resource | alicloud_disk | Ensure disk is encrypted | Terraform |
| 7 | CKV_ALI_8 | resource | alicloud_disk | Ensure Disk is encrypted with Customer Master Key | Terraform |
| 8 | CKV_ALI_9 | resource | alicloud_db_instance | Ensure database instance is not public | Terraform |
| 9 | CKV_ALI_10 | resource | alicloud_oss_bucket | Ensure OSS bucket has versioning enabled | Terraform |
| 10 | CKV_ALI_11 | resource | alicloud_oss_bucket | Ensure OSS bucket has transfer Acceleration enabled | Terraform |
| 11 | CKV_ALI_12 | resource | alicloud_oss_bucket | Ensure the OSS bucket has access logging enabled | Terraform |
| 12 | CKV_ALI_13 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires minimum length of 14 or greater | Terraform |
| 13 | CKV_ALI_14 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one number | Terraform |
| 14 | CKV_ALI_15 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one symbol | Terraform |
| 15 | CKV_ALI_16 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy expires passwords within 90 days or less | Terraform |
| 16 | CKV_ALI_17 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one lowercase letter | Terraform |
| 17 | CKV_ALI_18 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy prevents password reuse | Terraform |
| 18 | CKV_ALI_19 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one uppercase letter | Terraform |
| 19 | CKV_ALI_20 | resource | alicloud_db_instance | Ensure RDS instance uses SSL | Terraform |
| 20 | CKV_ALI_22 | resource | alicloud_db_instance | Ensure Transparent Data Encryption is Enabled on instance | Terraform |
| 21 | CKV_ALI_23 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Login Attempts not > 5 | Terraform |
| 22 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform |
| 23 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless |
| 24 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation |
| 25 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform |
| 26 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform |
| 27 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation |
| 28 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform |
| 29 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation |
| 30 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform |
| 31 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation |
| 32 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform |
| 33 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation |
| 34 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform |
| 35 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation |
| 36 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform |
| 37 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform |
| 38 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform |
| 39 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform |
| 40 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform |
| 41 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform |
| 42 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform |
| 43 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform |
| 44 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform |
| 45 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation |
| 46 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform |
| 47 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation |
| 48 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform |
| 49 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform |
| 50 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation |
| 51 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform |
| 52 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform |
| 53 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation |
| 54 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform |
| 55 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform |
| 56 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform |
| 57 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation |
| 58 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform |
| 59 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform |
| 60 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform |
| 61 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation |
| 62 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform |
| 63 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform |
| 64 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform |
| 65 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform |
| 66 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation |
| 67 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation |
| 68 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation |
| 69 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform |
| 70 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform |
| 71 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform |
| 72 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform |
| 73 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform |
| 74 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation |
| 75 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation |
| 76 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform |
| 77 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform |
| 78 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation |
| 79 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation |
| 80 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform |
| 81 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform |
| 82 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation |
| 83 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform |
| 84 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation |
| 85 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform |
| 86 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation |
| 87 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform |
| 88 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation |
| 89 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform |
| 90 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation |
| 91 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform |
| 92 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation |
| 93 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform |
| 94 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation |
| 95 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform |
| 96 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation |
| 97 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform |
| 98 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation |
| 99 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform |
| 100 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation |
| 101 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform |
| 102 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation |
| 103 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform |
| 104 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform |
| 105 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform |
| 106 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform |
| 107 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation |
| 108 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform |
| 109 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform |
| 110 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform |
| 111 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform |
| 112 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless |
| 113 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation |
| 114 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform |
| 115 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation |
| 116 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform |
| 117 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation |
| 118 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform |
| 119 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation |
| 120 | CKV_AWS_45 | resource | AWS::Serverless::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation |
| 121 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform |
| 122 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation |
| 123 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform |
| 124 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation |
| 125 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform |
| 126 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform |
| 127 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 128 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless |
| 129 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform |
| 130 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation |
| 131 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform |
| 132 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation |
| 133 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform |
| 134 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation |
| 135 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform |
| 136 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation |
| 137 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform |
| 138 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation |
| 139 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform |
| 140 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation |
| 141 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform |
| 142 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform |
| 143 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform |
| 144 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation |
| 145 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform |
| 146 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation |
| 147 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform |
| 148 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation |
| 149 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform |
| 150 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation |
| 151 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform |
| 152 | CKV_AWS_62 | resource | AWS::IAM::Group | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation |
| 153 | CKV_AWS_62 | resource | AWS::IAM::Policy | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation |
| 154 | CKV_AWS_62 | resource | AWS::IAM::Role | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation |
| 155 | CKV_AWS_62 | resource | AWS::IAM::User | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation |
| 156 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform |
| 157 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform |
| 158 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform |
| 159 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform |
| 160 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform |
| 161 | CKV_AWS_63 | resource | AWS::IAM::Group | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation |
| 162 | CKV_AWS_63 | resource | AWS::IAM::Policy | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation |
| 163 | CKV_AWS_63 | resource | AWS::IAM::Role | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation |
| 164 | CKV_AWS_63 | resource | AWS::IAM::User | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation |
| 165 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 166 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 167 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 168 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 169 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 170 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation |
| 171 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform |
| 172 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation |
| 173 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform |
| 174 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation |
| 175 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform |
| 176 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation |
| 177 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform |
| 178 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation |
| 179 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform |
| 180 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation |
| 181 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform |
| 182 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform |
| 183 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform |
| 184 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation |
| 185 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform |
| 186 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform |
| 187 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation |
| 188 | CKV_AWS_73 | resource | AWS::Serverless::Api | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation |
| 189 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform |
| 190 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation |
| 191 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform |
| 192 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform |
| 193 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation |
| 194 | CKV_AWS_76 | resource | AWS::Serverless::Api | Ensure API Gateway has Access Logging enabled | Cloudformation |
| 195 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform |
| 196 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform |
| 197 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform |
| 198 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation |
| 199 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform |
| 200 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation |
| 201 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform |
| 202 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform |
| 203 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform |
| 204 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform |
| 205 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform |
| 206 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation |
| 207 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform |
| 208 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation |
| 209 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform |
| 210 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation |
| 211 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform |
| 212 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation |
| 213 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform |
| 214 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation |
| 215 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform |
| 216 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation |
| 217 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform |
| 218 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation |
| 219 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation |
| 220 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform |
| 221 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform |
| 222 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation |
| 223 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform |
| 224 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation |
| 225 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform |
| 226 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation |
| 227 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform |
| 228 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform |
| 229 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation |
| 230 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform |
| 231 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform |
| 232 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform |
| 233 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation |
| 234 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform |
| 235 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation |
| 236 | CKV_AWS_95 | resource | AWS::Serverless::HttpApi | Ensure API Gateway V2 has Access Logging enabled | Cloudformation |
| 237 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurora is securely encrypted at rest | Cloudformation |
| 238 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform |
| 239 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation |
| 240 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform |
| 241 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform |
| 242 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation |
| 243 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform |
| 244 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Cloudformation |
| 245 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 | Terraform |
| 246 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation |
| 247 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform |
| 248 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform |
| 249 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure that Application Load Balancer Listener is using TLS v1.2 | Cloudformation |
| 250 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using TLS 1.2 | Terraform |
| 251 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform |
| 252 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation |
| 253 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform |
| 254 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation |
| 255 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform |
| 256 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform |
| 257 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation |
| 258 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation |
| 259 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation |
| 260 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation |
| 261 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation |
| 262 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform |
| 263 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation |
| 264 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation |
| 265 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation |
| 266 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation |
| 267 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation |
| 268 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform |
| 269 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation |
| 270 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation |
| 271 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation |
| 272 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation |
| 273 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation |
| 274 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform |
| 275 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation |
| 276 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation |
| 277 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation |
| 278 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation |
| 279 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation |
| 280 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform |
| 281 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation |
| 282 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation |
| 283 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation |
| 284 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation |
| 285 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation |
| 286 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform |
| 287 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform |
| 288 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform |
| 289 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform |
| 290 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform |
| 291 | CKV_AWS_116 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation |
| 292 | CKV_AWS_116 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation |
| 293 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform |
| 294 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform |
| 295 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform |
| 296 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform |
| 297 | CKV_AWS_119 | resource | AWS::DynamoDB::Table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Cloudformation |
| 298 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform |
| 299 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation |
| 300 | CKV_AWS_120 | resource | AWS::Serverless::Api | Ensure API Gateway caching is enabled | Cloudformation |
| 301 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform |
| 302 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform |
| 303 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform |
| 304 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation |
| 305 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform |
| 306 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform |
| 307 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform |
| 308 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform |
| 309 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform |
| 310 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform |
| 311 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform |
| 312 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation |
| 313 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform |
| 314 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform |
| 315 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform |
| 316 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform |
| 317 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform |
| 318 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform |
| 319 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation |
| 320 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform |
| 321 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform |
| 322 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform |
| 323 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform |
| 324 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform |
| 325 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform |
| 326 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform |
| 327 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform |
| 328 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform |
| 329 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform |
| 330 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform |
| 331 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform |
| 332 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform |
| 333 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform |
| 334 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Cloudformation |
| 335 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform |
| 336 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform |
| 337 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform |
| 338 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform |
| 339 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform |
| 340 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform |
| 341 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation |
| 342 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform |
| 343 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation |
| 344 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform |
| 345 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation |
| 346 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform |
| 347 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation |
| 348 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform |
| 349 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation |
| 350 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform |
| 351 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform |
| 352 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation |
| 353 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform |
| 354 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation |
| 355 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform |
| 356 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation |
| 357 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform |
| 358 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation |
| 359 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform |
| 360 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation |
| 361 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform |
| 362 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation |
| 363 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform |
| 364 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation |
| 365 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform |
| 366 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform |
| 367 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform |
| 368 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform |
| 369 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform |
| 370 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation |
| 371 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform |
| 372 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform |
| 373 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation |
| 374 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform |
| 375 | CKV_AWS_173 | resource | AWS::Lambda::Function | Check encryption settings for Lambda environmental variable | Cloudformation |
| 376 | CKV_AWS_173 | resource | AWS::Serverless::Function | Check encryption settings for Lambda environmental variable | Cloudformation |
| 377 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform |
| 378 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Cloudformation |
| 379 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform |
| 380 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform |
| 381 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform |
| 382 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform |
| 383 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform |
| 384 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform |
| 385 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 386 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 387 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 388 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 389 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 390 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure Doc DB is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 391 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 392 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 393 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 394 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 395 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 396 | CKV_AWS_188 | resource | aws_redshift_cluster | Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 397 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 398 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 399 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 400 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation |
| 401 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform |
| 402 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation |
| 403 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform |
| 404 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation |
| 405 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform |
| 406 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation |
| 407 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation |
| 408 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation |
| 409 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform |
| 410 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform |
| 411 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform |
| 412 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform |
| 413 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform |
| 414 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform |
| 415 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform |
| 416 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform |
| 417 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform |
| 418 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform |
| 419 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 420 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform |
| 421 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform |
| 422 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform |
| 423 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform |
| 424 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQBroker version is current | Terraform |
| 425 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQBroker version is current | Terraform |
| 426 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 427 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform |
| 428 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform |
| 429 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 430 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform |
| 431 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted at rest | Terraform |
| 432 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure Appsync API Cache is encrypted in transit | Terraform |
| 433 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution is enabled | Terraform |
| 434 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform |
| 435 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using latest TLS | Terraform |
| 436 | CKV_AWS_219 | resource | aws_codepipeline | Ensure Code Pipeline Artifact store is using a KMS CMK | Terraform |
| 437 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that Cloudsearch is using https | Terraform |
| 438 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure Code artifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform |
| 439 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS instance gets all minor upgrade automatically | Terraform |
| 440 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform |
| 441 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure Cluster logging with CMK | Terraform |
| 442 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform |
| 443 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform |
| 444 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform |
| 445 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform |
| 446 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform |
| 447 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform |
| 448 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform |
| 449 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform |
| 450 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform |
| 451 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform |
| 452 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform |
| 453 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform |
| 454 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform |
| 455 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform |
| 456 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform |
| 457 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform |
| 458 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform |
| 459 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API GATEWAY | Terraform |
| 460 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that Guard Duty detector is enabled | Terraform |
| 461 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform |
| 462 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform |
| 463 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform |
| 464 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform |
| 465 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform |
| 466 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform |
| 467 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform |
| 468 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform |
| 469 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform |
| 470 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform |
| 471 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform |
| 472 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform |
| 473 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform |
| 474 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform |
| 475 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform |
| 476 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform |
| 477 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform |
| 478 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform |
| 479 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform |
| 480 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform |
| 481 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform |
| 482 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform |
| 483 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform |
| 484 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform |
| 485 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform |
| 486 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform |
| 487 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform |
| 488 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform |
| 489 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform |
| 490 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform |
| 491 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform |
| 492 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform |
| 493 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform |
| 494 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform |
| 495 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform |
| 496 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform |
| 497 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform |
| 498 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform |
| 499 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform |
| 500 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform |
| 501 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform |
| 502 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform |
| 503 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform |
| 504 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform |
| 505 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform |
| 506 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform |
| 507 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform |
| 508 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform |
| 509 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform |
| 510 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform |
| 511 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform |
| 512 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a strict security headers policy attached | Terraform |
| 513 | CKV2_AWS_32 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront distribution has a strict security headers policy attached | Terraform |
| 514 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform |
| 515 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform |
| 516 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform |
| 517 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform |
| 518 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform |
| 519 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform |
| 520 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm |
| 521 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep |
| 522 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform |
| 523 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform |
| 524 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm |
| 525 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep |
| 526 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform |
| 527 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm |
| 528 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep |
| 529 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform |
| 530 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm |
| 531 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep |
| 532 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform |
| 533 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm |
| 534 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep |
| 535 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform |
| 536 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm |
| 537 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep |
| 538 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform |
| 539 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm |
| 540 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep |
| 541 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform |
| 542 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm |
| 543 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep |
| 544 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform |
| 545 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm |
| 546 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep |
| 547 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm |
| 548 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep |
| 549 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform |
| 550 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform |
| 551 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm |
| 552 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep |
| 553 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm |
| 554 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep |
| 555 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform |
| 556 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform |
| 557 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm |
| 558 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep |
| 559 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 560 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 561 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 562 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 563 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 564 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep |
| 565 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 566 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep |
| 567 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 568 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep |
| 569 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 570 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep |
| 571 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform |
| 572 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm |
| 573 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep |
| 574 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform |
| 575 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm |
| 576 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep |
| 577 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm |
| 578 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep |
| 579 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform |
| 580 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm |
| 581 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep |
| 582 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform |
| 583 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm |
| 584 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep |
| 585 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform |
| 586 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm |
| 587 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep |
| 588 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform |
| 589 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm |
| 590 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep |
| 591 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform |
| 592 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm |
| 593 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep |
| 594 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform |
| 595 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm |
| 596 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep |
| 597 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform |
| 598 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm |
| 599 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep |
| 600 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform |
| 601 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm |
| 602 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep |
| 603 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform |
| 604 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm |
| 605 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | Bicep |
| 606 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm |
| 607 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | Bicep |
| 608 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform |
| 609 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform |
| 610 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform |
| 611 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm |
| 612 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep |
| 613 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform |
| 614 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform |
| 615 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform |
| 616 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform |
| 617 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform |
| 618 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm |
| 619 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep |
| 620 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform |
| 621 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm |
| 622 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep |
| 623 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform |
| 624 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm |
| 625 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep |
| 626 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform |
| 627 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm |
| 628 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep |
| 629 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform |
| 630 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm |
| 631 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep |
| 632 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform |
| 633 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm |
| 634 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep |
| 635 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform |
| 636 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm |
| 637 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep |
| 638 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm |
| 639 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep |
| 640 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform |
| 641 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm |
| 642 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep |
| 643 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm |
| 644 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep |
| 645 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform |
| 646 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm |
| 647 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep |
| 648 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm |
| 649 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep |
| 650 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform |
| 651 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm |
| 652 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep |
| 653 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform |
| 654 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm |
| 655 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep |
| 656 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm |
| 657 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep |
| 658 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm |
| 659 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep |
| 660 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform |
| 661 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform |
| 662 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm |
| 663 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep |
| 664 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform |
| 665 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform |
| 666 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform |
| 667 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm |
| 668 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep |
| 669 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform |
| 670 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm |
| 671 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | Bicep |
| 672 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm |
| 673 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep |
| 674 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform |
| 675 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform |
| 676 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm |
| 677 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep |
| 678 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform |
| 679 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm |
| 680 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep |
| 681 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform |
| 682 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform |
| 683 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform |
| 684 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform |
| 685 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform |
| 686 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm |
| 687 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep |
| 688 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform |
| 689 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform |
| 690 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm |
| 691 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep |
| 692 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform |
| 693 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform |
| 694 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform |
| 695 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform |
| 696 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform |
| 697 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform |
| 698 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform |
| 699 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform |
| 700 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform |
| 701 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform |
| 702 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform |
| 703 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform |
| 704 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform |
| 705 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform |
| 706 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform |
| 707 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform |
| 708 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform |
| 709 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform |
| 710 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform |
| 711 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform |
| 712 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform |
| 713 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform |
| 714 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform |
| 715 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform |
| 716 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform |
| 717 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform |
| 718 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform |
| 719 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform |
| 720 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform |
| 721 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform |
| 722 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform |
| 723 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform |
| 724 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform |
| 725 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform |
| 726 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform |
| 727 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform |
| 728 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform |
| 729 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform |
| 730 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform |
| 731 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform |
| 732 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform |
| 733 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform |
| 734 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform |
| 735 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform |
| 736 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform |
| 737 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform |
| 738 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform |
| 739 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform |
| 740 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform |
| 741 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform |
| 742 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform |
| 743 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform |
| 744 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform |
| 745 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform |
| 746 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform |
| 747 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform |
| 748 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform |
| 749 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform |
| 750 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform |
| 751 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform |
| 752 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform |
| 753 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform |
| 754 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform |
| 755 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform |
| 756 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform |
| 757 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform |
| 758 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform |
| 759 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform |
| 760 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform |
| 761 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform |
| 762 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform |
| 763 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform |
| 764 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform |
| 765 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform |
| 766 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform |
| 767 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform |
| 768 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform |
| 769 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform |
| 770 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform |
| 771 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform |
| 772 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform |
| 773 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform |
| 774 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform |
| 775 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform |
| 776 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform |
| 777 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform |
| 778 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform |
| 779 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform |
| 780 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform |
| 781 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform |
| 782 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm |
| 783 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep |
| 784 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm |
| 785 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep |
| 786 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform |
| 787 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform |
| 788 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform |
| 789 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform |
| 790 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform |
| 791 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform |
| 792 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform |
| 793 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform |
| 794 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform |
| 795 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform |
| 796 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform |
| 797 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform |
| 798 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform |
| 799 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform |
| 800 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform |
| 801 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform |
| 802 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform |
| 803 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform |
| 804 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform |
| 805 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform |
| 806 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform |
| 807 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform |
| 808 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform |
| 809 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform |
| 810 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform |
| 811 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform |
| 812 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform |
| 813 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace has not public | Terraform |
| 814 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform |
| 815 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform |
| 816 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform |
| 817 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform |
| 818 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform |
| 819 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform |
| 820 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform |
| 821 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform |
| 822 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform |
| 823 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform |
| 824 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform |
| 825 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform |
| 826 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform |
| 827 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform |
| 828 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform |
| 829 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform |
| 830 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform |
| 831 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform |
| 832 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform |
| 833 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform |
| 834 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform |
| 835 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform |
| 836 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform |
| 837 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform |
| 838 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform |
| 839 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform |
| 840 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform |
| 841 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform |
| 842 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform |
| 843 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform |
| 844 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform |
| 845 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform |
| 846 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform |
| 847 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform |
| 848 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform |
| 849 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform |
| 850 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform |
| 851 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform |
| 852 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform |
| 853 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform |
| 854 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform |
| 855 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform |
| 856 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform |
| 857 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform |
| 858 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform |
| 859 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform |
| 860 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform |
| 861 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform |
| 862 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration |
| 863 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform |
| 864 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform |
| 865 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform |
| 866 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform |
| 867 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile |
| 868 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile |
| 869 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile |
| 870 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile |
| 871 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile |
| 872 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile |
| 873 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile |
| 874 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile |
| 875 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile |
| 876 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile |
| 877 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile |
| 878 | CKV_TF_DATA_EXTERNAL_1 | data | external | Ensure terraform external data blocks runs vetted code | Terraform |
| 879 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform |
| 880 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform |
| 881 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform |
| 882 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform |
| 883 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform |
| 884 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform |
| 885 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform |
| 886 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform |
| 887 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform |
| 888 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform |
| 889 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform |
| 890 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform |
| 891 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform |
| 892 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform |
| 893 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform |
| 894 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform |
| 895 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform |
| 896 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform |
| 897 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform |
| 898 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform |
| 899 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform |
| 900 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform |
| 901 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform |
| 902 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform |
| 903 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform |
| 904 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform |
| 905 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform |
| 906 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform |
| 907 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform |
| 908 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform |
| 909 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform |
| 910 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform |
| 911 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform |
| 912 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform |
| 913 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform |
| 914 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform |
| 915 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform |
| 916 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform |
| 917 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform |
| 918 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform |
| 919 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform |
| 920 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform |
| 921 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform |
| 922 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform |
| 923 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform |
| 924 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform |
| 925 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform |
| 926 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform |
| 927 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 928 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 929 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform |
| 930 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform |
| 931 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform |
| 932 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform |
| 933 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform |
| 934 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform |
| 935 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform |
| 936 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform |
| 937 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform |
| 938 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform |
| 939 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform |
| 940 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform |
| 941 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform |
| 942 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform |
| 943 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform |
| 944 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform |
| 945 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform |
| 946 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform |
| 947 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform |
| 948 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform |
| 949 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform |
| 950 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform |
| 951 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform |
| 952 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform |
| 953 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform |
| 954 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform |
| 955 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform |
| 956 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform |
| 957 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform |
| 958 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform |
| 959 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform |
| 960 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform |
| 961 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform |
| 962 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform |
| 963 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform |
| 964 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform |
| 965 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform |
| 966 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform |
| 967 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform |
| 968 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform |
| 969 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform |
| 970 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform |
| 971 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform |
| 972 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform |
| 973 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform |
| 974 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform |
| 975 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform |
| 976 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform |
| 977 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform |
| 978 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform |
| 979 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform |
| 980 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform |
| 981 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform |
| 982 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform |
| 983 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform |
| 984 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 985 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 986 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform |
| 987 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 988 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 989 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 990 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform |
| 991 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform |
| 992 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform |
| 993 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform |
| 994 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 995 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 996 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Manager Key) | Terraform |
| 997 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |