#hcl
Rulesets (1)
Rules (357)
Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.
Ensure that IAM policies don't allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don't need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.
Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.
Ensure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE
Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.
Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.
Ensure that no IAM policies allow "*" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.
The security group rule allows ingress from public internet. Opening up ports to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `"TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021"`.
Detected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `"ELBSecurityPolicy-TLS13-1-2-2021-06"`, or include a default action to redirect to HTTPS.
S3 bucket with public read-write access detected.
Ensure that Amazon ElastiCache clusters have automatic backup turned on. To fix this, set a `snapshot_retention_limit`.
The AWS QLDB ledger permissions are too permissive. Consider using "'STANDARD'" permissions mode if possible.
The AWS RDS Cluster is not configured to use IAM authentication. Consider using IAM for authentication.
The AWS RDS is not configured to use IAM authentication. Consider using IAM for authentication.
The AWS RDS is not configured to use multi-az. Consider using it if possible.
Ensure that Amazon S3 bucket versioning is not enabled. Consider using versioning if you don't have alternative backup mechanism.
The AWS S3 object lock is not enabled. Consider using it if possible.
Detected a AWS load balancer that is not configured to drop invalid HTTP headers. Add `drop_invalid_header_fields = true` in your resource block.
Found a AWS API Gateway Stage without cache cluster enabled. Enabling the cache cluster feature enhances responsiveness of your API. Add `cache_cluster_enabled = true` to your resource block.
There are missing tags for an AWS Auto Scaling group. Tags help track costs, allow for filtering for Auto Scaling groups, help with access control, and aid in organizing AWS resources. Add: `tag { key = "key" value = "value" propagate_at_launch = boolean }` See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group for more details.
The AWS Autoscaling Group is not tagged.
The AWS cross zone load balancing is not enabled.
The AWS LoadBalancer deletion protection is not enabled.
The AWS QLDB deletion protection is not enabled.
The AWS CloudWatch Log group is missing a KMS key. While Log group data is always encrypted, you can optionally use a KMS key instead. Add `kms_key_id = "yourKey"` to your resource block.
The AWS CloudWatch Log group is missing log retention time. By default, logs are retained indefinitely. Add `retention_in_days = <integer>` to your resource block.
The `source_arn` field needs to end with an asterisk, like this: `<log-group-arn>:*` Without this, the `aws_lambda_permission` resource '$NAME' will not be created. Add the asterisk to the end of the arn. x $ARN
When using the AWS Lambda "Image" package_type, `runtime` and `handler` are not necessary for Lambda to understand how to run the code. These are built into the container image. Including `runtime` or `handler` with an "Image" `package_type` will result in an error on `terraform apply`. Remove these redundant fields.
`terraform apply` will fail because the environment variable "$VARIABLE" is a reserved by AWS. Use another name for "$VARIABLE".
The `aws_cloudwatch_log_subscription_filter` resource "$NAME" needs a `depends_on` clause on the `aws_lambda_permission`, otherwise Terraform may try to create these out-of-order and fail.
The Athena workgroup configuration can be overriden by client-side settings. The client can make changes to disable encryption settings. Enforce the configuration to prevent client overrides.
The Athena database is unencrypted at rest. These databases are generally derived from data in S3 buckets and should have the same level of at rest protection. The AWS KMS encryption key protects database contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
The AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
The AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.
By default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
The CodeBuild project artifacts are unencrypted. All artifacts produced by your CodeBuild project pipeline should be encrypted to prevent them from being read if compromised.
The AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
The AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.
Database instance has no logging. Missing logs can cause missing important event information.
Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.
The AWS DocumentDB cluster is unencrypted. The data could be read if the underlying disks are compromised. You should enable storage encryption.
Point-in-time recovery is not enabled for the DynamoDB table. DynamoDB tables should be protected against accidental or malicious write/delete actions. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.
By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
Ensure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.
Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.
EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `"false"`.
The AWS launch configuration EBS block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
The AWS launch configuration root block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.
The AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups.
The ECR repository has image scans disabled. Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.
The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting `image_tag_mutability` to IMMUTABLE.
Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.
Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure all Elasticsearch has node-to-node encryption enabled.
ELB has no logging. Missing logs can cause missing important event information.
Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:<identity>`.
Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
Ensure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `"true"`.
Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.
Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.
The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.
The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.
Ingress and/or egress is allowed for all ports in the network ACL rule. Ensure access to specific required ports is allowed, and nothing else.
The network ACL rule allows ingress from public internet. Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. Set a more restrictive CIDR range.
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.
Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
The AWS SNS topic is unencrypted. The SNS topic messages could be read if compromised. The AWS KMS encryption key protects topic contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Wildcard used in your SQS queue policy action. SQS queue policies should always grant least privilege - that is, only grant the permissions required to perform a specific task. Implementing least privilege is important to reducing security risks and reducing the effect of errors or malicious intent.
Wildcard used in your SQS queue policy principal. This grants access to all users, including anonymous users (public access). Unless you explicitly require anyone on the internet to be able to read or write to your queue, limit principals, actions and resources to what you need according to least privilege.
The AWS SQS queue contents are unencrypted. The data could be read if compromised. Enable server-side encryption for your queue using SQS-managed encryption keys (SSE-SQS), or using your own AWS KMS key (SSE-KMS).
The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.
Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
Transfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `"VPC"`.
The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
The AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.
`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.
Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.
Ensures that Active Directory is used for authentication for Service Fabric
Ensure that AKS uses Azure Policies Add-on
Ensure that Application Gateway enables WAF
Ensure that Net Framework version is the latest, if used as a part of the web app
Ensure FTP deployments are disabled
Ensure that HTTP Version is the latest if used to run the web app
Ensure that Java version is the latest, if used to run the web app
Ensure that PHP version is the latest, if used to run the web app
Ensure that Python version is the latest, if used to run the web app
Ensure that app services use Azure Files
Ensure that Azure Defender is set to On for App Service
Ensure that Azure Defender is set to On for Container
Ensure that Azure Defender is set to On for Key Vault
Ensure that Azure Defender is set to On for Kubernetes
Ensure that Azure Defender is set to On for Servers
Ensure that Azure Defender is set to On for SQL servers on machines
Ensure that Azure Defender is set to On for SQL servers
Ensure that Azure Defender is set to On for Storage
Ensure that Azure Front Door enables WAF
Ensure that Azure Front Door uses WAF and configured in “Detection” or “Prevention” modes
Ensure that HTTP Version is the latest if used to run the Function app
Ensure that HTTP Version is the latest if used to run the Function app
Ensure that key vault allows firewall rules settings
Ensure that key vault enables purge protection
Ensure that key vault enables soft delete
Ensure the key vault is recoverable https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable
Ensure that MariaDB server enables geo-redundant backups
Ensure Enforce SSL connection is set to Enabled for MariaDB servers
Ensure audit profile captures all the activities
Ensure that Activity Log Retention is set 365 days or greater
Ensure that MySQL server enables geo-redundant backups
Ensure Enforce SSL connection is set to Enabled for MySQL servers
Ensure that MySQL server enables Threat detection policy
Ensure that Network Interfaces disable IP forwarding
Ensure that PostgreSQL Flexible server enables geo-redundant backups
Ensure that PostgreSQL server enables geo-redundant backups
Ensure server parameter connection_throttling is set to ON for PostgreSQL Database Server
Ensure server parameter log_checkpoints is set to ON for PostgreSQL Database Server
Ensure server parameter log_connections is set to ON for PostgreSQL Database Server
Ensure Enforce SSL connection is set to Enabled for PostgreSQL servers
Ensure that PostgreSQL server enables Threat detection policy
Ensure that key vault secrets have “content_type” set
Ensure that the expiration date is set on all secrets
Ensure that Send email notification for high severity alerts is set to On
Ensure that Security contact emails is set
Ensure that Security contact Phone number is set
Ensure that Send email notification for high severity alerts is set to On
Ensure that standard pricing tier is selected
Ensure that Send Alerts To is enabled for MSSQL servers
Ensure that Email service and co-administrators is Enabled for MSSQL servers
Ensure that Threat Detection types is set to All
Ensure that storage account enables secure transfer
Ensure that Azure Synapse workspaces enables managed virtual networks
Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets
Ensure that Application Gateway uses WAF in “Detection” or “Prevention” modes
Ensure AKS has an API Server Authorized IP Ranges enabled
Ensure that AKS enables private clusters
Ensure that AKS uses disk encryption set
Ensure that API management services use virtual networks
Registering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.
Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings
Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block
By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.
Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.
Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = "1.2"` in your resource block.
Ensure App Service Authentication is set on Azure App Service
Ensure the web app has Client Certificates
Ensure that App service enables detailed error messages
Ensure that CORS disallows every resource to access app services
Ensure that App service enables failed request tracing
Ensure that App service enables HTTP logging
Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
Ensure App Service Authentication is set on Azure App Service
Ensure that Managed identity provider is enabled for app services
Ensure web app is using the latest version of TLS encryption
Ensure that Automation account variables are encrypted
Ensure that Azure Batch account uses key vault to encrypt data
Ensure that Cognitive Services accounts disable public network access
Ensure that Azure Container group is deployed into virtual network
Ensure Cosmos DB accounts have restricted access
Ensure that Cosmos DB accounts have access key write capability disabled
Ensure that Azure Cosmos DB disables public network access
Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest
Ensure that no custom subscription owner roles are created
Ensure that Azure Data Explorer uses double encryption
Ensure that Azure Data Explorer uses disk encryption
Ensure that Azure Data factory public network access is disabled
Ensure that Azure Data Factory uses Git repository for source control
Ensure that Data Lake Store accounts enables encryption
Ensure that Azure Event Grid Domain public network access is disabled
ensure that CORS disallows all resources to access Function app
Ensure that function apps enables Authentication
Ensure Virtual Machine Extensions are not Installed
Ensure that Azure IoT Hub disables public network access
Ensure that key vault key is backed by HSM
Ensure that the expiration date is set on all keys
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
Ensure Azure managed disk has encryption enabled
Ensure public network access enabled is set to False for MariaDB servers
Ensure that Activity Log Retention is set 365 days or greater
Ensure MSSQL is using the latest version of TLS encryption
Ensure that MySQL server enables infrastructure encryption
Ensure MySQL is using the latest version of TLS encryption
Ensure public network access enabled is set to False for MySQL servers
Ensure that Network Security Group Flow Log retention period is 90 days or greater
Ensure that PostgreSQL server enables infrastructure encryption
Ensure PostgreSQL is using the latest version of TLS encryption
Ensure public network access enabled is set to False for PostgreSQL servers
Ensure that only SSL are enabled for Cache for Redis
Ensure that Azure Cache for Redis disables public network access
Ensure that remote debugging is not enabled for app services
Ensure that Virtual machine does not enable password authentication
Ensure that Azure Cognitive Search disables public network access
Ensure that Service Fabric use three levels of protection available
Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Ensure that SQL server disables public network access
Ensure default network access rule for Storage Accounts is set to deny
Ensure Storage Account is using the latest version of TLS encryption
Ensure that Public access level is set to Private for blob containers
Ensure that Azure File Sync disables public network access
Ensure that Virtual machine scale sets have encryption at host enabled
Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings
Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block
Key vault Secret should have a content type set
Ensure that the expiration date is set on all keys
Ensure that the expiration date is set on all secrets
Key vault should have purge protection enabled
Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.
Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules
Detected a Storage that was not configured to deny action by default. Add `default_action = "Deny"` in your resource block.
Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.
Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.
Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.
Ensure Compute instances are launched with Shielded VM enabled
Ensure Compute instances are launched with Shielded VM enabled
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure use of Binary Authorization
Ensure Shielded GKE Nodes are Enabled
Ensure Kubernetes Clusters are configured with Labels
Ensure the GKE Metadata Server is Enabled
Ensure 'Automatic node repair' is enabled for Kubernetes Clusters
Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters
Ensure the GKE Metadata Server is Enabled
Ensure Secure Boot for Shielded GKE Nodes is Enabled
Ensure all Cloud SQL database instance have backup configuration enabled
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
Ensure that Private google access is enabled for IPV6
Ensure MySQL database 'local_infile' flag is set to 'off'
Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'
Ensure PostgreSQL database 'log_connections' flag is set to 'on'
Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'
Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'
Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'
Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value
Ensure PostgreSQL database 'log_temp_files' flag is set to '0'
Ensure Cloud storage has versioning enabled
Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure that Artifact Registry repositories are not anonymously or publicly accessible
Ensure that Artifact Registry repositories are not anonymously or publicly accessible
Ensure that BigQuery datasets are not anonymously or publicly accessible
Ensure that BigQuery Tables are not anonymously or publicly accessible
Ensure that BigQuery Tables are not anonymously or publicly accessible
Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Cloud build workers are private
Ensure bucket logs access.
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Google compute firewall ingress does not allow unrestricted FTP access
Ensure Google compute firewall ingress does not allow unrestricted FTP access
Ensure Google compute firewall ingress does not allow unrestricted SSH access
Ensure Google compute firewall ingress does not allow unrestricted MySQL access
Ensure Google compute firewall ingress does not allow unrestricted RDP access
Ensure Google compute firewall ingress does not allow unrestricted HTTP access
Ensure that IP forwarding is not enabled on Instances. This lets the instance act as a traffic router and receive traffic not intended for it, which may route traffic through unintended passages.
Ensure that no instance in the project overrides the project setting for enabling OSLogin (OSLogin needs to be enabled in project metadata for all instances)
Ensure oslogin is enabled for a Project
Ensure that Compute instances do not have public IP addresses
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
Ensure that IP forwarding is not enabled on Instances. This lets the instance act as a traffic router and receive traffic not intended for it, which may route traffic through unintended passages.
Ensure that Compute instances do not have public IP addresses
Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Dataflow jobs are private
Ensure Data fusion instances are private
Ensure Datafusion has stack driver logging enabled.
Ensure Datafusion has stack driver monitoring enabled.
Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Dataproc Clusters do not have public IPs
Ensure that Dataproc clusters are not anonymously or publicly accessible
Ensure that Dataproc clusters are not anonymously or publicly accessible
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level
Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level
Ensure Default Service account is not used at a folder level
Ensure Default Service account is not used at a folder level
Ensure GKE basic auth is disabled
Ensure client certificate authentication to Kubernetes Engine Clusters is disabled
Ensure logging is set to Enabled on Kubernetes Engine Clusters
Enable VPC Flow Logs and Intranode Visibility
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
Manage Kubernetes RBAC users with Google Groups for GKE
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Ensure legacy Compute Engine instance metadata APIs are Disabled
Ensure master authorized networks is set to enabled in GKE clusters
Ensure monitoring is set to Enabled on Kubernetes Engine Clusters
Ensure Network Policy is enabled on Kubernetes Engine Clusters
Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure GKE Control Plane is not public
Ensure Secure Boot for Shielded GKE Nodes is Enabled
Ensure KMS keys are protected from deletion
Ensure Memorystore for Redis has AUTH enabled
Ensure Memorystore for Redis uses intransit encryption
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level
Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level
Ensure default service account is not used at an organization level
Ensure default service account is not used at an organization level
Ensure that the default network does not exist in a project. Set auto_create_network to `false`.
Ensure Default Service account is not used at a project level
Ensure Default Service account is not used at a project level
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure that Pub/Sub Topics are not anonymously or publicly accessible
Ensure that Pub/Sub Topics are not anonymously or publicly accessible
Ensure that GCP Cloud Run services are not anonymously or publicly accessible
Ensure that GCP Cloud Run services are not anonymously or publicly accessible
Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure all Cloud SQL database instance requires all incoming connections to use SSL
Ensure that Cloud SQL database Instances are not open to the world
Ensure Cloud SQL database does not have public IP
Ensure that Container Registry repositories are not anonymously or publicly accessible
Ensure that Container Registry repositories are not anonymously or publicly accessible
Ensure that Cloud Storage buckets have uniform bucket-level access enabled
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
Ensure that private_ip_google_access is enabled for Subnet
Ensure Vertex AI datasets uses a CMK (Customer Manager Key)
Ensure Vertex AI Metadata Store uses a CMK (Customer Manager Key)
Ensure Vertex AI instances are private
AWS EC2 Instance allowing use of the IMDSv1
The ECR Repository isn't configured to scan images on push
Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS control plane through the enabled_cluster_log_types attribute.
The vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access
Encryption at rest is not enabled for the elastic search domain resource
IAM policies that allow full "*-*" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE
RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.
RDS instance accessible from the Internet detected.
CORS rule on bucket permits any origin
S3 bucket with public read access detected.
This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.