#hcl
Rulesets (1)
Rules (347)
returntocorpEnsure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpThe AWS QLDB ledger permissions are too permissive. Consider using "'STANDARD'" permissions mode if possible.
returntocorpThe AWS RDS Cluster is not configured to use IAM authentication. Consider using IAM for authentication.
returntocorpThe AWS RDS is not configured to use IAM authentication. Consider using IAM for authentication.
returntocorpThe AWS RDS is not configured to use multi-az. Consider using it if possible.
returntocorpEnsure that Amazon S3 bucket versioning is not enabled. Consider using versioning if you don't have alternative backup mechanism.
returntocorpThe AWS Autoscaling Group is not tagged.
returntocorpThe AWS cross zone load balancing is not enabled.
returntocorpThe AWS LoadBalancer deletion protection is not enabled.
returntocorpThe AWS QLDB deletion protection is not enabled.
returntocorpThe AWS CloudWatch Log group is missing a KMS key. While Log group data is always encrypted, you can optionally use a KMS key instead. Add `kms_key_id = "yourKey"` to your resource block.
returntocorpThe AWS Backup vault is unencrypted. The AWS KMS encryption key protects backups in the Backup vault. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpDetected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `"TLS1.2_2018", "TLS1.2_2019" or "TLS1.2_2021"`.
returntocorpEnsure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpThe AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.
returntocorpBy default, AWS CloudWatch Log Group is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your log group in CloudWatch. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
returntocorpEnsure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpAuditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.
returntocorpThe AWS DocumentDB cluster is unencrypted. The data could be read if the underlying disks are compromised. You should enable storage encryption.
returntocorpPoint-in-time recovery is not enabled for the DynamoDB table. DynamoDB tables should be protected against accidental or malicious write/delete actions. By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.
returntocorpThe AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpBy default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
returntocorpEnsure EBS Snapshot is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpThe AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.
returntocorpEnsure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpThe AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.
returntocorpEC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `"false"`.
returntocorpThe AWS launch configuration EBS block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
returntocorpThe AWS launch configuration root block device is unencrypted. The block device could be read if compromised. Block devices should be encrypted to ensure sensitive data is held securely at rest.
returntocorpThe EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.
returntocorpThe AWS security group rule is missing a description, or its description is empty or the default value. Security groups rules should include a meaningful description in order to simplify auditing, debugging, and managing security groups.
returntocorpThe ECR repository has image scans disabled. Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.
returntocorpThe ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting image_tab_mutability to IMMUTABLE.
returntocorpDetected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.
returntocorpEnsure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpThis rule has been deprecated.
returntocorpEnsure all Elasticsearch has node-to-node encryption enabled.
returntocorpEnsure ImageBuilder component is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpELB has no logging. Missing logs can cause missing important event information.
returntocorpEnsure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpEnsure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpEnsure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpEnsure FSX Windows file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpDetected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:<identity>`.
returntocorpDetected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
returntocorpDetected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.
returntocorpDetected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `"true"`.
returntocorpEnsure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpEnsure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpDetected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.
returntocorpThe AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpBy default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
returntocorpEnsure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpIngress and/or egress is allowed for all ports in the network ACL rule. Ensure access to specific required ports is allowed, and nothing else.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpThe AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.
returntocorpEnsure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpEnsure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpEnsure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpBy default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
returntocorpThe AWS SNS topic is unencrypted. The SNS topic messages could be read if compromised. The AWS KMS encryption key protects topic contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpResources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.
returntocorpEnsure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.
returntocorpTransfer Server endpoint type should not have public or null configured in order to block public access. To fix this, set your `endpoint_type` to `"VPC"`.
returntocorpThe AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpEnsure that app services use Azure Files
returntocorpThe AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpDetected an AWS load balancer with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `ssl_policy` to `"ELBSecurityPolicy-FS-1-2-Res-2019-08"`, or include a default action to redirect to HTTPS.
returntocorpThe AWS Athena Workgroup is unencrypted. Encryption protects query results in your workgroup. To enable, add: `encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.example.arn }` within `result_configuration { }` in your resource block, where `encryption_option` is your chosen encryption method and `kms_key_arn` is your KMS key ARN.
returntocorpDetected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam::<account_id>:root`.
returntocorpEnsure that Azure Defender is set to On for App Service
returntocorpEnsures that Active Directory is used for authentication for Service Fabric
returntocorpEnsure that AKS uses Azure Policies Add-on
returntocorpEnsure that Application Gateway enables WAF
returntocorpEnsure that Net Framework version is the latest, if used as a part of the web app
returntocorpEnsure FTP deployments are disabled
returntocorpEnsure that HTTP Version is the latest if used to run the web app
returntocorpEnsure that Java version is the latest, if used to run the web app
returntocorpEnsure that PHP version is the latest, if used to run the web app
returntocorpEnsure that Python version is the latest, if used to run the web app
returntocorpEnsure that Azure Defender is set to On for Container
returntocorpEnsure that Azure Defender is set to On for Key Vault
returntocorpEnsure that Azure Defender is set to On for Kubernetes
returntocorpEnsure that Azure Defender is set to On for Servers
returntocorpEnsure that Azure Defender is set to On for SQL servers on machines
returntocorpEnsure that Azure Defender is set to On for SQL servers
returntocorpEnsure that Azure Defender is set to On for Storage
returntocorpEnsure that Azure Front Door enables WAF
returntocorpEnsure that Azure Front Door uses WAF and configured in “Detection” or “Prevention” modes
returntocorpEnsure that HTTP Version is the latest if used to run the Function app
returntocorpEnsure that HTTP Version is the latest if used to run the Function app
returntocorpEnsure that key vault allows firewall rules settings
returntocorpEnsure that key vault enables purge protection
returntocorpEnsure that key vault enables soft delete
returntocorpEnsure the key vault is recoverable https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable
returntocorpEnsure that MariaDB server enables geo-redundant backups
returntocorpEnsure Enforce SSL connection is set to Enabled for MariaDB servers
returntocorpEnsure audit profile captures all the activities
returntocorpEnsure that Activity Log Retention is set 365 days or greater
returntocorpEnsure that MySQL server enables geo-redundant backups
returntocorpEnsure Enforce SSL connection is set to Enabled for MySQL servers
returntocorpEnsure that MySQL server enables Threat detection policy
returntocorpEnsure that Network Interfaces disable IP forwarding
returntocorpEnsure that PostgreSQL Flexible server enables geo-redundant backups
returntocorpEnsure that PostgreSQL server enables geo-redundant backups
returntocorpEnsure server parameter connection_throttling is set to ON for PostgreSQL Database Server
returntocorpEnsure server parameter log_checkpoints is set to ON for PostgreSQL Database Server
returntocorpEnsure server parameter log_connections is set to ON for PostgreSQL Database Server
returntocorpEnsure Enforce SSL connection is set to Enabled for PostgreSQL servers
returntocorpEnsure that PostgreSQL server enables Threat detection policy
returntocorpEnsure that key vault secrets have “content_type” set
returntocorpEnsure that the expiration date is set on all secrets
returntocorpEnsure that Send email notification for high severity alerts is set to On
returntocorpEnsure that Security contact emails is set
returntocorpEnsure that Security contact Phone number is set
returntocorpEnsure that Send email notification for high severity alerts is set to On
returntocorpEnsure that standard pricing tier is selected
returntocorpEnsure that Send Alerts To is enabled for MSSQL servers
returntocorpEnsure that Email service and co-administrators is Enabled for MSSQL servers
returntocorpEnsure that Threat Detection types is set to All
returntocorpEnsure that storage account enables secure transfer
returntocorpEnsure that Azure Synapse workspaces enables managed virtual networks
returntocorpEnsure that automatic OS image patching is enabled for Virtual Machine Scale Sets
returntocorpEnsure that Application Gateway uses WAF in “Detection” or “Prevention” modes
returntocorpEnsure AKS has an API Server Authorized IP Ranges enabled
returntocorpEnsure that AKS enables private clusters
returntocorpEnsure that AKS uses disk encryption set
returntocorpEnsure that API management services use virtual networks
returntocorpRegistering the identity used by an App with AD allows it to interact with other services without using username and password. Set the `identity` block in your appservice.
returntocorpEnabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings
returntocorpEnsure App Service Authentication is set on Azure App Service
returntocorpUse the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block
returntocorpBy default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.
returntocorpDetected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.
returntocorpDetected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = "1.2"` in your resource block.
returntocorpEnsure the web app has Client Certificates
returntocorpEnsure that App service enables detailed error messages
returntocorpEnsure that CORS disallows every resource to access app services
returntocorpEnsure that App service enables failed request tracing
returntocorpEnsure that App service enables HTTP logging
returntocorpEnsure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot
returntocorpEnsure App Service Authentication is set on Azure App Service
returntocorpEnsure that Managed identity provider is enabled for app services
returntocorpEnsure web app is using the latest version of TLS encryption
returntocorpEnsure that Automation account variables are encrypted
returntocorpEnsure that Azure Batch account uses key vault to encrypt data
returntocorpEnsure that Cognitive Services accounts disable public network access
returntocorpEnsure that Azure Container group is deployed into virtual network
returntocorpEnsure Cosmos DB accounts have restricted access
returntocorpEnsure that Cosmos DB accounts have access key write capability disabled
returntocorpEnsure that Azure Cosmos DB disables public network access
returntocorpEnsure that Azure Data Factory uses Git repository for source control
returntocorpEnsure that Cosmos DB accounts have customer-managed keys to encrypt data at rest
returntocorpEnsure that no custom subscription owner roles are created
returntocorpEnsure that Azure Data Explorer uses double encryption
returntocorpEnsure that Azure Data Explorer uses disk encryption
returntocorpEnsure that Azure Data factory public network access is disabled
returntocorpEnsure that Data Lake Store accounts enables encryption
returntocorpEnsure that Azure Event Grid Domain public network access is disabled
returntocorpensure that CORS disallows all resources to access Function app
returntocorpEnsure that function apps enables Authentication
returntocorpEnsure Virtual Machine Extensions are not Installed
returntocorpEnsure that Azure IoT Hub disables public network access
returntocorpEnsure that key vault key is backed by HSM
returntocorpEnsure that the expiration date is set on all keys
returntocorpEnsure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
returntocorpEnsure Azure managed disk has encryption enabled
returntocorpEnsure public network access enabled is set to False for MariaDB servers
returntocorpEnsure that Activity Log Retention is set 365 days or greater
returntocorpEnsure MSSQL is using the latest version of TLS encryption
returntocorpEnsure that MySQL server enables infrastructure encryption
returntocorpEnsure MySQL is using the latest version of TLS encryption
returntocorpEnsure public network access enabled is set to False for MySQL servers
returntocorpEnsure that Network Security Group Flow Log retention period is 90 days or greater
returntocorpEnsure that PostgreSQL server enables infrastructure encryption
returntocorpEnsure that remote debugging is not enabled for app services
returntocorpEnsure PostgreSQL is using the latest version of TLS encryption
returntocorpEnsure public network access enabled is set to False for PostgreSQL servers
returntocorpEnsure that only SSL are enabled for Cache for Redis
returntocorpEnsure that Azure Cache for Redis disables public network access
returntocorpEnsure Kubernetes Cluster is created with Alias IP ranges enabled
returntocorpEnsure that Virtual machine does not enable password authentication
returntocorpEnsure that Azure Cognitive Search disables public network access
returntocorpEnsure that Service Fabric use three levels of protection available
returntocorpEnsure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
returntocorpEnsure that SQL server disables public network access
returntocorpEnsure default network access rule for Storage Accounts is set to deny
returntocorpEnsure Storage Account is using the latest version of TLS encryption
returntocorpEnsure that Public access level is set to Private for blob containers
returntocorpEnsure that Azure File Sync disables public network access
returntocorpEnsure 'Automatic node repair' is enabled for Kubernetes Clusters
returntocorpEnsure that Virtual machine scale sets have encryption at host enabled
returntocorpEnabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings
returntocorpUse the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your function app resource block
returntocorpKey vault Secret should have a content type set
returntocorpEnsure 'Automatic node upgrade' is enabled for Kubernetes Clusters
returntocorpEnsure that the expiration date is set on all keys
returntocorpEnsure that the expiration date is set on all secrets
returntocorpKey vault should have purge protection enabled
returntocorpNetwork ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.
returntocorpSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules
returntocorpDetected a Storage that was not configured to deny action by default. Add `default_action = "Deny"` in your resource block.
returntocorpDetected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.
returntocorpStorage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.
returntocorpEnsure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.
returntocorpAzure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.
returntocorpEnsure Compute instances are launched with Shielded VM enabled
returntocorpEnsure Compute instances are launched with Shielded VM enabled
returntocorpEnsure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
returntocorpEnsure use of Binary Authorization
returntocorpEnsure Shielded GKE Nodes are Enabled
returntocorpEnsure Kubernetes Clusters are configured with Labels
returntocorpEnsure the GKE Metadata Server is Enabled
returntocorpEnsure the GKE Metadata Server is Enabled
returntocorpEnsure Secure Boot for Shielded GKE Nodes is Enabled
returntocorpEnsure all Cloud SQL database instance have backup configuration enabled
returntocorpEnsure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
returntocorpEnsure that Private google access is enabled for IPV6
returntocorpEnsure MySQL database 'local_infile' flag is set to 'off'
returntocorpEnsure PostgreSQL database 'log_checkpoints' flag is set to 'on'
returntocorpEnsure PostgreSQL database 'log_connections' flag is set to 'on'
returntocorpEnsure PostgreSQL database 'log_disconnections' flag is set to 'on'
returntocorpEnsure PostgreSQL database 'log_lock_waits' flag is set to 'on'
returntocorpEnsure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'
returntocorpEnsure PostgreSQL database 'log_min_messages' flag is set to a valid value
returntocorpEnsure PostgreSQL database 'log_temp_files' flag is set to '0'
returntocorpEnsure Cloud storage has versioning enabled
returntocorpEnsure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure that Artifact Registry repositories are not anonymously or publicly accessible
returntocorpEnsure that Artifact Registry repositories are not anonymously or publicly accessible
returntocorpEnsure that BigQuery datasets are not anonymously or publicly accessible
returntocorpEnsure that BigQuery Tables are not anonymously or publicly accessible
returntocorpEnsure that BigQuery Tables are not anonymously or publicly accessible
returntocorpEnsure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure Cloud build workers are private
returntocorpEnsure bucket logs access.
returntocorpEnsure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure Google compute firewall ingress does not allow unrestricted FTP access
returntocorpEnsure Google compute firewall ingress does not allow unrestricted FTP access
returntocorpEnsure Google compute firewall ingress does not allow unrestricted SSH access
returntocorpEnsure Google compute firewall ingress does not allow unrestricted MySQL access
returntocorpEnsure Google compute firewall ingress does not allow unrestricted RDP access
returntocorpEnsure Google compute firewall ingress does not allow unrestricted HTTP access
returntocorpEnsure that IP forwarding is not enabled on Instances. This lets the instance act as a traffic router and receive traffic not intended for it, which may route traffic through unintended passages.
returntocorpEnsure that no instance in the project overrides the project setting for enabling OSLogin (OSLogin needs to be enabled in project metadata for all instances)
returntocorpEnsure oslogin is enabled for a Project
returntocorpEnsure that Compute instances do not have public IP addresses
returntocorpEnsure 'Enable connecting to serial ports' is not enabled for VM Instance
returntocorpEnsure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites
returntocorpEnsure that IP forwarding is not enabled on Instances. This lets the instance act as a traffic router and receive traffic not intended for it, which may route traffic through unintended passages.
returntocorpEnsure that Compute instances do not have public IP addresses
returntocorpEnsure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure Dataflow jobs are private
returntocorpEnsure Data fusion instances are private
returntocorpEnsure Datafusion has stack driver logging enabled.
returntocorpEnsure Datafusion has stack driver monitoring enabled.
returntocorpEnsure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure Dataproc Clusters do not have public IPs
returntocorpEnsure that Dataproc clusters are not anonymously or publicly accessible
returntocorpEnsure that Dataproc clusters are not anonymously or publicly accessible
returntocorpEnsure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
returntocorpEnsure no roles that enable to impersonate and manage all service accounts are used at a folder level
returntocorpEnsure no roles that enable to impersonate and manage all service accounts are used at a folder level
returntocorpEnsure Default Service account is not used at a folder level
returntocorpEnsure Default Service account is not used at a folder level
returntocorpEnsure GKE basic auth is disabled
returntocorpEnsure client certificate authentication to Kubernetes Engine Clusters is disabled
returntocorpEnsure logging is set to Enabled on Kubernetes Engine Clusters
returntocorpEnable VPC Flow Logs and Intranode Visibility
returntocorpEnsure Integrity Monitoring for Shielded GKE Nodes is Enabled
returntocorpManage Kubernetes RBAC users with Google Groups for GKE
returntocorpEnsure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
returntocorpEnsure legacy Compute Engine instance metadata APIs are Disabled
returntocorpEnsure master authorized networks is set to enabled in GKE clusters
returntocorpEnsure monitoring is set to Enabled on Kubernetes Engine Clusters
returntocorpEnsure Network Policy is enabled on Kubernetes Engine Clusters
returntocorpEnsure Integrity Monitoring for Shielded GKE Nodes is Enabled
returntocorpEnsure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
returntocorpEnsure Kubernetes Cluster is created with Private cluster enabled
returntocorpEnsure GKE Control Plane is not public
returntocorpEnsure Secure Boot for Shielded GKE Nodes is Enabled
returntocorpEnsure KMS keys are protected from deletion
returntocorpEnsure Memorystore for Redis has AUTH enabled
returntocorpEnsure Memorystore for Redis uses intransit encryption
returntocorpEnsure no roles that enable to impersonate and manage all service accounts are used at an organization level
returntocorpEnsure no roles that enable to impersonate and manage all service accounts are used at an organization level
returntocorpEnsure default service account is not used at an organization level
returntocorpEnsure default service account is not used at an organization level
returntocorpEnsure that the default network does not exist in a project. Set auto_create_network to `false`.
returntocorpEnsure Default Service account is not used at a project level
returntocorpEnsure Default Service account is not used at a project level
returntocorpEnsure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
returntocorpEnsure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
returntocorpEnsure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure that Pub/Sub Topics are not anonymously or publicly accessible
returntocorpEnsure that Pub/Sub Topics are not anonymously or publicly accessible
returntocorpEnsure that GCP Cloud Run services are not anonymously or publicly accessible
returntocorpEnsure that GCP Cloud Run services are not anonymously or publicly accessible
returntocorpEnsure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)
returntocorpEnsure all Cloud SQL database instance requires all incoming connections to use SSL
returntocorpEnsure that Cloud SQL database Instances are not open to the world
returntocorpEnsure Cloud SQL database does not have public IP
returntocorpEnsure that Container Registry repositories are not anonymously or publicly accessible
returntocorpEnsure that Container Registry repositories are not anonymously or publicly accessible
returntocorpEnsure that Cloud Storage buckets have uniform bucket-level access enabled
returntocorpEnsure that VPC Flow Logs is enabled for every subnet in a VPC Network
returntocorpEnsure that private_ip_google_access is enabled for Subnet
returntocorpEnsure Vertex AI datasets uses a CMK (Customer Manager Key)
returntocorpEnsure Vertex AI Metadata Store uses a CMK (Customer Manager Key)
returntocorpEnsure Vertex AI instances are private
returntocorpAn EBS volume is configured without encryption enabled.
returntocorpAWS EC2 Instance allowing use of the IMDSv1
returntocorpThe ECR Repository isn't configured to scan images on push
returntocorpMissing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs ("api") and audit logs ("audit") of the EKS control plane through the enabled_cluster_log_types attribute.
returntocorpThe vpc_config resource inside the eks cluster has not explicitly disabled public endpoint access
returntocorpEncryption at rest is not enabled for the elastic search domain resource
returntocorpIAM policies that allow full "*-*" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE
returntocorpEnsure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.
returntocorpEnsure that IAM policies don't allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don't need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.
returntocorpEnsure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.
returntocorpEnsure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE
returntocorpEnsure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.
returntocorpEnsure that no IAM policies allow "*" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.
returntocorpRDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.
returntocorpRDS instance accessible from the Internet detected.
returntocorpCORS rule on bucket permits any origin
returntocorpS3 bucket with public read access detected.
returntocorpS3 bucket with public read-write access detected.
returntocorpThe CodeBuild project artifacts are unencrypted. All artifacts produced by your CodeBuild project pipeline should be encrypted to prevent them from being read if compromised.
returntocorpThe AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.
returntocorpThis rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.
returntocorpEnsure that Amazon ElastiCache clusters have automatic backup turned on. To fix this, set a `snapshot_retention_limit`.
returntocorpThe AWS S3 object lock is not enabled. Consider using it if possible.
returntocorpDetected a AWS load balancer that is not configured to drop invalid HTTP headers. Add `drop_invalid_header_fields = true` in your resource block.
returntocorpFound a AWS API Gateway Stage without cache cluster enabled. Enabling the cache cluster feature enhances responsiveness of your API. Add `cache_cluster_enabled = true` to your resource block.
returntocorpThere are missing tags for an AWS Auto Scaling group. Tags help track costs, allow for filtering for Auto Scaling groups, help with access control, and aid in organizing AWS resources. Add: `tag { key = "key" value = "value" propagate_at_launch = boolean }` See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group for more details.
returntocorpThe AWS CloudWatch Log group is missing log retention time. By default, logs are retained indefinitely. Add `retention_in_days = <integer>` to your resource block.
returntocorpThe Athena workgroup configuration can be overriden by client-side settings. The client can make changes to disable encryption settings. Enforce the configuration to prevent client overrides.
returntocorpThe Athena database is unencrypted at rest. These databases are generally derived from data in S3 buckets and should have the same level of at rest protection. The AWS KMS encryption key protects database contents. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpThe AWS Athena Work Group is unencrypted. The AWS KMS encryption key protects backups in the work group. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpThe AWS CodeBuild Project Artifacts are unencrypted. The AWS KMS encryption key protects artifacts in the CodeBuild Projects. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpThe AWS CodeBuild Project is unencrypted. The AWS KMS encryption key protects projects in the CodeBuild. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.
returntocorpThe AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.
returntocorpDatabase instance has no logging. Missing logs can cause missing important event information.