CKV_AWS_103
Ensure that load balancer is using TLS 1.2
Codiga Static Analysis engine checks all terraform code and surface security and safety issues as well as enforcement of best practices. No matter what cloud you use (AWS, GCP, Azure), Codiga got you covered and flags potential problems at every push and pull request.
Ensure that load balancer is using TLS 1.2
Ensure IAM policies does not allow credentials exposure
Ensure IAM policies does not allow data exfiltration
Ensure IAM policies does not allow permissions management / resource exposure without constraints
Ensure IAM policies does not allow privilege escalation
Ensure IAM policies does not allow write access without constraints
Ensure that AWS Lambda function is configured for function-level concurrent execution limit
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
Ensure that AWS Lambda function is configured inside a VPC
Ensure that enhanced monitoring is enabled for Amazon RDS instances
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK
Ensure that CloudFormation stacks are sending event notifications to an SNS topic
Ensure that detailed monitoring is enabled for EC2 instances
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled
Ensure VPC subnets do not assign public IP by default
Ensure that ALB drops HTTP headers
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
Ensure that EC2 is EBS optimized
Ensure that ECR repositories are encrypted using KMS
Ensure that S3 bucket has cross-region replication enabled
Ensure that S3 buckets are encrypted with KMS by default
Ensure that CodeBuild projects are encrypted
Ensure no default VPC is planned to be provisioned
Ensure that Secrets Manager secret is encrypted using KMS
Ensure that Load Balancer has deletion protection enabled
Ensure that RDS instances have Multi-AZ enabled
Ensure that CloudWatch Log Group is encrypted by KMS
Ensure all data stored in the RDS is securely encrypted at rest
Ensure RDS database has IAM authentication enabled
Ensure ECR image scanning on push is enabled
Ensure SQS queue policy is not public by only allowing specific services or principals to access it
Ensure all data stored in RDS is not publicly accessible
Check encryption settings for Lambda environmental variable
Ensure the S3 bucket has access logging enabled
Ensure all data stored in the S3 bucket is securely encrypted at rest
Ensure ALB protocol is HTTPS
S3 Bucket has an ACL defined which allows public READ access.
Ensure all data stored in the S3 bucket have versioning enabled
Ensure every security groups rule has a description
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389
Ensure all data stored in the SNS topic is encrypted
Ensure all data stored in the SQS queue is encrypted
Ensure Dynamodb point in time recovery (backup) is enabled
Ensure all data stored in the EBS is securely encrypted
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)
Ensure no hard coded AWS access key and secret key exists in provider
X-ray tracing is enabled for Lambda
Ensure ECR Image Tags are immutable
Ensure S3 bucket has MFA delete enabled
Ensure S3 bucket has block public policy enabled
Ensure S3 bucket has 'restrict\_public\_bucket' enabled
Ensure there is no open access to back-end resources through API
Ensure container insights are enabled on ECS cluster
Ensure that CloudWatch Log Group specifies retention days
CloudFront Distribution should have WAF enabled
Ensure rotation for customer created CMKs is enabled
Ensure API Gateway has Access Logging enabled
Ensure Instance Metadata Service Version 1 is not enabled
Ensure all data stored in the Launch configuration EBS is securely encrypted
Ensure Cloudfront distribution has Access Logging enabled
EC2 instance should not have public IP.
Ensure the ELBv2 (Application/Network) has access logging enabled
Ensure the ELB has access logging enabled
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
Ensure Network Policy is enabled on Kubernetes Engine Clusters
Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters
Ensure all Cloud SQL database instance have backup configuration enabled
Ensure GKE Control Plane is not public
Ensure GKE basic auth is disabled
Ensure Google compute firewall ingress does not allow unrestricted ssh access
Ensure master authorized networks is set to enabled in GKE clusters
Ensure Kubernetes Clusters are configured with Labels
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
Ensure that Cloud Storage buckets have uniform bucket-level access enabled
Ensure that instances are not configured to use the default service account
Ensure 'Block Project-wide SSH keys' is enabled for VM instances
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure all Cloud SQL database instance requires all incoming connections to use SSL
Enable VPC Flow Logs and Intranode Visibility
Bucket should log access
Ensure clusters are created with Private Nodes
Manage Kubernetes RBAC users with Google Groups for GKE
Ensure use of Binary Authorization
Ensure legacy Compute Engine instance metadata APIs are Disabled
Ensure the GKE Metadata Server is Enabled
Ensure the GKE Release Channel is set
Ensure Shielded GKE Nodes are Enabled
Ensure Repository is Private
Ensure that all NACL are attached to subnets
Ensure VPC flow logging is enabled in all VPCs
Ensure the default security group of every VPC restricts all traffic
Ensure that Auto Scaling is enabled on your DynamoDB tables
Ensure that EC2 instances belong to a VPC
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
Ensure that only encrypted EBS volumes are attached to EC2 instances
Ensure that ALB redirects HTTP requests into HTTPS ones
Route53 A Record has Attached Resource
Postgres RDS has Query Logging enabled
Ensure public facing ALB are protected by WAF
Ensure that Security Groups are attached to an other resource
Ensure that S3 bucket has a Public Access block
Ensure that EBS are added in the backup plans of AWS Backup
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)
Ensure that CodeBuild Project encryption is not disabled
Ensure CloudFront distribution has a strict security headers policy attached
Ensure Postgres RDS as aws_db_instance has Query Logging enabled
AWS SSM Parameter should be Encrypted
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
Ensure Glue component has a security configuration associated
Ensure AppSync is protected by WAF
Ensure that PostgreSQL server enables geo-redundant backups
Ensure key vault allows firewall rules settings
Ensure key vault key is backed by HSM
Ensure key vault secrets have content_type set
Ensure that AKS uses disk encryption set
Ensure that Network Interfaces disable IP forwarding
Ensure GitHub repository has vulnerability alerts enabled
Ensure Secrets are encrypted
Ensure Storage Accounts adhere to the naming rules
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)
Ensure RBAC is enabled on AKS clusters
Ensure Virtual Machine Extensions are not Installed
Ensure that Application Gateway enables WAF
Ensure that PostgreSQL server enables infrastructure encryption
Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Ensure default network access rule for Storage Accounts is set to deny
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Ensure that the expiration date is set on all keys
Ensure that PostgreSQL server disables public network access
Ensure that Virtual machine scale sets have encryption at host enabled
Ensure Storage logging is enabled for Blob service for read requests
Ensure the storage container storing the activity logs is not publicly accessible
Ensure resource is encrypted by KMS using a customer managed Key
Ensure EFS is securely encrypted
Ensure Create before destroy for API GATEWAY
Ensure Create before destroy for API deployments
Ensure that Cognitive Services enables customer-managed key for encryption
Ensure Code Pipeline Artifact store is using a KMS CMK
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
Ensure AWS CloudTrail log validation is enabled in all regions.
Ensure CloudTrail defines an SNS Topic.
Ensure CloudTrail is enabled in all Regions
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure that Azure Container group is deployed into virtual network.
Ensure that AKS uses Azure Policies Add-on
Ensure AKS local admin account is disabled
Ensure Windows VM enables encryption
Ensure Storage Account is using the latest version of TLS encryption
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions
S3 Bucket has an ACL defined which allows public WRITE access.
Ensure API Gateway caching is enabled
Ensure API Gateway has X-Ray tracing enabled
Ensure MSK Cluster logging is enabled
The default namespace should not be used.
Ensure securityContext is applied to pods and containers.
Ensure public API gateway are protected by AWS Web Application Firewall v2
Ensure API Gateway stage have logging level defined as appropriate
Ensure RDS instances have backup policy
Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)
Ensure DB instance gets all minor upgrades automatically
Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension
AWS NAT Gateways should be utilized for the default route
Ensure all data stored in the Elasticsearch is encrypted with a CMK
Ensure that 'Public access level' is set to Private for blob containers
Ensure secrets have an expiration date set
Ensure GuardDuty is enbaled to specific org/region
Ensure Azure storage account logging for tables is enabled
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
Ensure that Cognitive Services accounts disable public network access.
Ensure EBS default encryption is enabled
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
Ensure that Elasticsearch is configured inside a VPC
Ensure that RDS clusters have deletion protection enabled
Ensure Redshift cluster is encrypted by KMS
Ensure RDS cluster has IAM authentication enabled
Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)
Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK)
Ensure Cloudfront distribution is enabled
Verify Elasticsearch domain is using an up to date TLS policy
Ensure that Elasticsearch is not using the default Security Group
Ensure KMS key policy does not contain wildcard (*) principal
Ensure AWS Redshift database has audit logging enabled
Ensure Elasticsearch Domain Logging is enabled
Ensure Amazon Redshift clusters are not publicly accessible
Ensure all data stored in Aurora is securely encrypted at rest
Ensure commits are signed
Ensure at least two approving reviews to merge
Ensure all commits GPG signed
Ensure at least two approving reviews for PRs
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)
Ensure that Azure Data Factory uses Git repository for source control
Ensure Azure Data factory public network access is disabled
Ensure that key vault enables purge protection
Ensure App Service Authentication is set on Azure App Service
Ensure App Service is registered with an Azure Active Directory account
Ensure the web app has certificates set
Ensure that 'HTTP Version' is the latest if used to run the web app
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
Ensure that 'Secure transfer required' is set to 'Enabled'
Ensure Storage logging is enabled for Queue service for read, write and delete requests
Ensure the key vault is recoverable
Ensure that function apps enables Authentication
Ensure secure transfer required is enabled
Ensure that App service enables HTTP logging
Ensure app service enables detailed error messages
Ensure app service enables failed request tracing
Ensure that 'HTTP Version' is the latest, if used to run the Function app
Ensure function apps are only accessible over HTTPS
Ensure that Managed identity provider is enabled for app services
Ensure FTP deployments are disabled
Ensure that 'Net Framework' version is the latest, if used as a part of the web app
Ensure that app services use Azure Files
Ensure RDS clusters have an AWS Backup backup plan
Ensure storage for critical data are encrypted with Customer Managed Key
Ensure Microsoft Antimalware is configured to automatically update Virtual Machines
Ensure that virtual machines are backed up using Azure Backup
Ensure that Azure data factories are encrypted with a customer-managed key
Ensure that Storage Accounts use customer-managed key for encryption
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
Ensure that Azure Active Directory Admin is configured
Ensure Virtual Machines are utilizing Managed Disks
Ensure all Elasticsearch has node-to-node encryption enabled
Ensure HTTP HTTPS Target group defines Healthcheck