terraform

terraform.lang.security.s3-public-rw-bucket.s3-public-rw-bucket

returntocorp

S3 bucket with public read-write access detected.

terraform.lang.security.ebs-unencrypted-volume.unencrypted-ebs-volume

returntocorp

An EBS volume is configured without encryption enabled.

returntocorp

AWS EC2 Instance allowing use of the IMDSv1

returntocorp

Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `"TLS1.2_2018", "TLS1.2_2019" or "TLS1.2_2021"`.

returntocorp

The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.

returntocorp

The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.

returntocorp

The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.

returntocorp

Database instance has no logging. Missing logs can cause missing important event information.

returntocorp

Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.

returntocorp

By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.

returntocorp

Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.

returntocorp

The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.

returntocorp

The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.

returntocorp

EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `"false"`.

returntocorp

The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.

returntocorp

The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting image_tab_mutability to IMMUTABLE.

returntocorp

Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.

returntocorp

Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.

returntocorp

Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set "tls_security_policy" equal to "Policy-Min-TLS-1-2-2019-07".

returntocorp

Ensure all Elasticsearch has node-to-node encryption enabled.

returntocorp

Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:<identity>`.

returntocorp

Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.

returntocorp

Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.

returntocorp

Detected AWS API Gateway to be using an insecure version of TLS. To fix this issue make sure to set "security_policy" equal to "TLS_1_2".

returntocorp

Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `"true"`.

returntocorp

Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.

returntocorp

The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.

returntocorp

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

returntocorp

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

returntocorp

The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.

returntocorp

Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.

returntocorp

Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `"ELBSecurityPolicy-FS-1-2-Res-2019-08"`, or include a default action to redirect to HTTPS.

returntocorp

Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.

returntocorp

Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings

returntocorp

Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block

returntocorp

By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.

returntocorp

Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.

returntocorp

Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = "1.2"` in your resource block.

returntocorp

Ensure that App service enables detailed error messages

returntocorp

Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot

returntocorp

Ensure web app is using the latest version of TLS encryption

returntocorp

Ensure that the expiration date is set on all keys

returntocorp

Ensure MSSQL is using the latest version of TLS encryption

returntocorp

Ensure that MySQL server enables infrastructure encryption

returntocorp

Ensure MySQL is using the latest version of TLS encryption

returntocorp

Ensure that the expiration date is set on all keys

returntocorp

Ensure that the expiration date is set on all secrets

returntocorp

Key vault should have purge protection enabled

returntocorp

Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.

returntocorp

Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.

returntocorp

Ensure bucket logs access.

returntocorp

Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC

returntocorp

Ensure all Cloud SQL database instance requires all incoming connections to use SSL

returntocorp

Ensure that Cloud SQL database Instances are not open to the world

returntocorp

RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.

returntocorp

This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.