facebook pixelTerraform Static Analysis Rules
BACK TO LIST

Terraform rules

Codiga Static Analysis engine checks all terraform code and surface security and safety issues as well as enforcement of best practices. No matter what cloud you use (AWS, GCP, Azure), Codiga got you covered and flags potential problems at every push and pull request.

      CKV_AWS_103

      Best practice
      Minor

      Ensure that load balancer is using TLS 1.2

      Learn more

      CKV_AWS_107

      Best practice
      Minor

      Ensure IAM policies does not allow credentials exposure

      CKV_AWS_108

      Best practice
      Minor

      Ensure IAM policies does not allow data exfiltration

      CKV_AWS_109

      Best practice
      Minor

      Ensure IAM policies does not allow permissions management / resource exposure without constraints

      CKV_AWS_110

      Best practice
      Minor

      Ensure IAM policies does not allow privilege escalation

      CKV_AWS_111

      Best practice
      Minor

      Ensure IAM policies does not allow write access without constraints

      CKV_AWS_115

      Best practice
      Minor

      Ensure that AWS Lambda function is configured for function-level concurrent execution limit

      CKV_AWS_116

      Best practice
      Minor

      Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

      CKV_AWS_117

      Best practice
      Minor

      Ensure that AWS Lambda function is configured inside a VPC

      CKV_AWS_118

      Best practice
      Minor

      Ensure that enhanced monitoring is enabled for Amazon RDS instances

      CKV_AWS_119

      Best practice
      Minor

      Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK

      CKV_AWS_124

      Best practice
      Minor

      Ensure that CloudFormation stacks are sending event notifications to an SNS topic

      CKV_AWS_126

      Best practice
      Minor

      Ensure that detailed monitoring is enabled for EC2 instances

      CKV_AWS_127

      Best practice
      Minor

      Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager

      CKV_AWS_129

      Best practice
      Minor

      Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled

      CKV_AWS_130

      Best practice
      Minor

      Ensure VPC subnets do not assign public IP by default

      CKV_AWS_131

      Best practice
      Minor

      Ensure that ALB drops HTTP headers

      CKV_AWS_134

      Best practice
      Minor

      Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on

      CKV_AWS_135

      Best practice
      Minor

      Ensure that EC2 is EBS optimized

      CKV_AWS_136

      Best practice
      Minor

      Ensure that ECR repositories are encrypted using KMS

      CKV_AWS_144

      Best practice
      Minor

      Ensure that S3 bucket has cross-region replication enabled

      CKV_AWS_145

      Best practice
      Minor

      Ensure that S3 buckets are encrypted with KMS by default

      CKV_AWS_147

      Best practice
      Minor

      Ensure that CodeBuild projects are encrypted

      CKV_AWS_148

      Best practice
      Minor

      Ensure no default VPC is planned to be provisioned

      CKV_AWS_149

      Best practice
      Minor

      Ensure that Secrets Manager secret is encrypted using KMS

      CKV_AWS_150

      Best practice
      Minor

      Ensure that Load Balancer has deletion protection enabled

      CKV_AWS_157

      Best practice
      Minor

      Ensure that RDS instances have Multi-AZ enabled

      CKV_AWS_158

      Best practice
      Minor

      Ensure that CloudWatch Log Group is encrypted by KMS

      CKV_AWS_16

      Best practice
      Minor

      Ensure all data stored in the RDS is securely encrypted at rest

      CKV_AWS_161

      Best practice
      Minor

      Ensure RDS database has IAM authentication enabled

      CKV_AWS_163

      Best practice
      Minor

      Ensure ECR image scanning on push is enabled

      CKV_AWS_168

      Best practice
      Minor

      Ensure SQS queue policy is not public by only allowing specific services or principals to access it

      CKV_AWS_17

      Best practice
      Minor

      Ensure all data stored in RDS is not publicly accessible

      CKV_AWS_173

      Best practice
      Minor

      Check encryption settings for Lambda environmental variable

      CKV_AWS_18

      Best practice
      Minor

      Ensure the S3 bucket has access logging enabled

      CKV_AWS_19

      Best practice
      Minor

      Ensure all data stored in the S3 bucket is securely encrypted at rest

      CKV_AWS_2

      Best practice
      Minor

      Ensure ALB protocol is HTTPS

      CKV_AWS_20

      Best practice
      Minor

      S3 Bucket has an ACL defined which allows public READ access.

      CKV_AWS_21

      Best practice
      Minor

      Ensure all data stored in the S3 bucket have versioning enabled

      CKV_AWS_23

      Best practice
      Minor

      Ensure every security groups rule has a description

      CKV_AWS_24

      Best practice
      Minor

      Ensure no security groups allow ingress from 0.0.0.0:0 to port 22

      CKV_AWS_25

      Best practice
      Minor

      Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389

      CKV_AWS_26

      Best practice
      Minor

      Ensure all data stored in the SNS topic is encrypted

      CKV_AWS_27

      Best practice
      Minor

      Ensure all data stored in the SQS queue is encrypted

      CKV_AWS_28

      Best practice
      Minor

      Ensure Dynamodb point in time recovery (backup) is enabled

      CKV_AWS_3

      Best practice
      Minor

      Ensure all data stored in the EBS is securely encrypted

      CKV_AWS_30

      Best practice
      Minor

      Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit

      CKV_AWS_31

      Best practice
      Minor

      Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token

      CKV_AWS_34

      Best practice
      Minor

      Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS

      CKV_AWS_40

      Best practice
      Minor

      Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)

      CKV_AWS_41

      Best practice
      Minor

      Ensure no hard coded AWS access key and secret key exists in provider

      CKV_AWS_50

      Best practice
      Minor

      X-ray tracing is enabled for Lambda

      CKV_AWS_51

      Best practice
      Minor

      Ensure ECR Image Tags are immutable

      CKV_AWS_52

      Best practice
      Minor

      Ensure S3 bucket has MFA delete enabled

      CKV_AWS_54

      Best practice
      Minor

      Ensure S3 bucket has block public policy enabled

      CKV_AWS_56

      Best practice
      Minor

      Ensure S3 bucket has 'restrict\_public\_bucket' enabled

      CKV_AWS_59

      Best practice
      Minor

      Ensure there is no open access to back-end resources through API

      CKV_AWS_65

      Best practice
      Minor

      Ensure container insights are enabled on ECS cluster

      CKV_AWS_66

      Best practice
      Minor

      Ensure that CloudWatch Log Group specifies retention days

      CKV_AWS_68

      Best practice
      Minor

      CloudFront Distribution should have WAF enabled

      CKV_AWS_7

      Best practice
      Minor

      Ensure rotation for customer created CMKs is enabled

      CKV_AWS_76

      Best practice
      Minor

      Ensure API Gateway has Access Logging enabled

      CKV_AWS_79

      Best practice
      Minor

      Ensure Instance Metadata Service Version 1 is not enabled

      CKV_AWS_8

      Best practice
      Minor

      Ensure all data stored in the Launch configuration EBS is securely encrypted

      CKV_AWS_86

      Best practice
      Minor

      Ensure Cloudfront distribution has Access Logging enabled

      CKV_AWS_88

      Best practice
      Minor

      EC2 instance should not have public IP.

      CKV_AWS_91

      Best practice
      Minor

      Ensure the ELBv2 (Application/Network) has access logging enabled

      CKV_AWS_92

      Best practice
      Minor

      Ensure the ELB has access logging enabled

      CKV_AWS_98

      Best practice
      Minor

      Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest

      CKV_GCP_12

      Best practice
      Minor

      Ensure Network Policy is enabled on Kubernetes Engine Clusters

      CKV_GCP_13

      Best practice
      Minor

      Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters

      CKV_GCP_14

      Best practice
      Minor

      Ensure all Cloud SQL database instance have backup configuration enabled

      CKV_GCP_18

      Best practice
      Minor

      Ensure GKE Control Plane is not public

      CKV_GCP_19

      Best practice
      Minor

      Ensure GKE basic auth is disabled

      CKV_GCP_2

      Best practice
      Minor

      Ensure Google compute firewall ingress does not allow unrestricted ssh access

      CKV_GCP_20

      Best practice
      Minor

      Ensure master authorized networks is set to enabled in GKE clusters

      CKV_GCP_21

      Best practice
      Minor

      Ensure Kubernetes Clusters are configured with Labels

      CKV_GCP_23

      Best practice
      Minor

      Ensure Kubernetes Cluster is created with Alias IP ranges enabled

      CKV_GCP_24

      Best practice
      Minor

      Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters

      CKV_GCP_25

      Best practice
      Minor

      Ensure Kubernetes Cluster is created with Private cluster enabled

      CKV_GCP_26

      Best practice
      Minor

      Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network

      CKV_GCP_29

      Best practice
      Minor

      Ensure that Cloud Storage buckets have uniform bucket-level access enabled

      CKV_GCP_30

      Best practice
      Minor

      Ensure that instances are not configured to use the default service account

      CKV_GCP_32

      Best practice
      Minor

      Ensure 'Block Project-wide SSH keys' is enabled for VM instances

      CKV_GCP_38

      Best practice
      Minor

      Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)

      CKV_GCP_39

      Best practice
      Minor

      Ensure Compute instances are launched with Shielded VM enabled

      CKV_GCP_6

      Best practice
      Minor

      Ensure all Cloud SQL database instance requires all incoming connections to use SSL

      CKV_GCP_61

      Best practice
      Minor

      Enable VPC Flow Logs and Intranode Visibility

      CKV_GCP_62

      Best practice
      Minor

      Bucket should log access

      CKV_GCP_64

      Best practice
      Minor

      Ensure clusters are created with Private Nodes

      CKV_GCP_65

      Best practice
      Minor

      Manage Kubernetes RBAC users with Google Groups for GKE

      CKV_GCP_66

      Best practice
      Minor

      Ensure use of Binary Authorization

      CKV_GCP_67

      Best practice
      Minor

      Ensure legacy Compute Engine instance metadata APIs are Disabled

      CKV_GCP_69

      Best practice
      Minor

      Ensure the GKE Metadata Server is Enabled

      CKV_GCP_70

      Best practice
      Minor

      Ensure the GKE Release Channel is set

      CKV_GCP_71

      Best practice
      Minor

      Ensure Shielded GKE Nodes are Enabled

      CKV_GIT_1

      Best practice
      Minor

      Ensure Repository is Private

      CKV2_AWS_1

      Best practice
      Minor

      Ensure that all NACL are attached to subnets

      CKV2_AWS_11

      Best practice
      Minor

      Ensure VPC flow logging is enabled in all VPCs

      CKV2_AWS_12

      Best practice
      Minor

      Ensure the default security group of every VPC restricts all traffic

      CKV2_AWS_16

      Best practice
      Minor

      Ensure that Auto Scaling is enabled on your DynamoDB tables

      CKV2_AWS_17

      Best practice
      Minor

      Ensure that EC2 instances belong to a VPC

      CKV2_AWS_18

      Best practice
      Minor

      Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup

      CKV2_AWS_19

      Best practice
      Minor

      Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances

      CKV2_AWS_2

      Best practice
      Minor

      Ensure that only encrypted EBS volumes are attached to EC2 instances

      CKV2_AWS_20

      Best practice
      Minor

      Ensure that ALB redirects HTTP requests into HTTPS ones

      CKV2_AWS_23

      Best practice
      Minor

      Route53 A Record has Attached Resource

      CKV2_AWS_27

      Best practice
      Minor

      Postgres RDS has Query Logging enabled

      CKV2_AWS_28

      Best practice
      Minor

      Ensure public facing ALB are protected by WAF

      CKV2_AWS_5

      Best practice
      Minor

      Ensure that Security Groups are attached to an other resource

      CKV2_AWS_6

      Best practice
      Minor

      Ensure that S3 bucket has a Public Access block

      CKV2_AWS_9

      Best practice
      Minor

      Ensure that EBS are added in the backup plans of AWS Backup

      CKV_AWS_174

      Best practice
      High

      Verify CloudFront Distribution Viewer Certificate is using TLS v1.2

      CKV_AWS_186

      Best practice
      High

      Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)

      CKV_AWS_191

      Best practice
      High

      Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)

      CKV_AWS_78

      Security
      High

      Ensure that CodeBuild Project encryption is not disabled

      CKV2_AWS_32

      Best practice
      High

      Ensure CloudFront distribution has a strict security headers policy attached

      CKV2_AWS_30

      Safety
      High

      Ensure Postgres RDS as aws_db_instance has Query Logging enabled

      CKV2_AWS_34

      Security
      Critical

      AWS SSM Parameter should be Encrypted

      CKV_AWS_189

      Security
      High

      Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)

      CKV_AWS_195

      Security
      High

      Ensure Glue component has a security configuration associated

      CKV2_AWS_33

      Security
      High

      Ensure AppSync is protected by WAF

      CKV_AZURE_102

      Safety
      High

      Ensure that PostgreSQL server enables geo-redundant backups

      CKV_AZURE_109

      Security
      Medium

      Ensure key vault allows firewall rules settings

      CKV_AZURE_112

      Safety
      High

      Ensure key vault key is backed by HSM

      CKV_AZURE_114

      Best practice
      Medium

      Ensure key vault secrets have content_type set

      CKV_AZURE_117

      Security
      Critical

      Ensure that AKS uses disk encryption set

      CKV_AZURE_118

      Security
      High

      Ensure that Network Interfaces disable IP forwarding

      CKV_GIT_3

      Security
      High

      Ensure GitHub repository has vulnerability alerts enabled

      CKV_GIT_4

      Security
      Critical

      Ensure Secrets are encrypted

      CKV_AZURE_43

      Code style
      Minor

      Ensure Storage Accounts adhere to the naming rules

      CKV_AZURE_49

      Security
      High

      Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)

      CKV_AZURE_5

      Security
      High

      Ensure RBAC is enabled on AKS clusters

      CKV_AZURE_50

      Security
      Medium

      Ensure Virtual Machine Extensions are not Installed

      CKV_AZURE_120

      Security
      Medium

      Ensure that Application Gateway enables WAF

      CKV_AZURE_130

      Security
      High

      Ensure that PostgreSQL server enables infrastructure encryption

      CKV_AZURE_135

      Best practice
      Critical

      Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell

      CKV_AZURE_29

      Security
      High

      Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

      CKV_AZURE_35

      Security
      Medium

      Ensure default network access rule for Storage Accounts is set to deny

      CKV_AZURE_36

      Security
      High

      Ensure 'Trusted Microsoft Services' is enabled for Storage Account access

      CKV_AZURE_40

      Security
      High

      Ensure that the expiration date is set on all keys

      CKV_AZURE_68

      Security
      High

      Ensure that PostgreSQL server disables public network access

      CKV_AZURE_97

      Security
      High

      Ensure that Virtual machine scale sets have encryption at host enabled

      CKV2_AZURE_21

      Security
      Medium

      Ensure Storage logging is enabled for Blob service for read requests

      CKV2_AZURE_8

      Security
      Critical

      Ensure the storage container storing the activity logs is not publicly accessible

      CKV_AWS_184

      Security
      High

      Ensure resource is encrypted by KMS using a customer managed Key

      CKV_AWS_42

      Security
      High

      Ensure EFS is securely encrypted

      CKV_AWS_237

      Best practice
      Medium

      Ensure Create before destroy for API GATEWAY

      CKV_AWS_217

      Best practice
      Medium

      Ensure Create before destroy for API deployments

      CKV2_AZURE_22

      Best practice
      Medium

      Ensure that Cognitive Services enables customer-managed key for encryption

      CKV_AWS_219

      Best practice
      Medium

      Ensure Code Pipeline Artifact store is using a KMS CMK

      CKV_AWS_35

      Best practice
      Medium

      Ensure CloudTrail logs are encrypted at rest using KMS CMKs

      CKV_AWS_36

      Best practice
      Medium

      Ensure AWS CloudTrail log validation is enabled in all regions.

      CKV_AWS_252

      Best practice
      Medium

      Ensure CloudTrail defines an SNS Topic.

      CKV_AWS_67

      Best practice
      Medium

      Ensure CloudTrail is enabled in all Regions

      CKV2_AWS_10

      Best practice
      Medium

      Ensure CloudTrail trails are integrated with CloudWatch Logs

      CKV_AZURE_98

      Best practice
      High

      Ensure that Azure Container group is deployed into virtual network.

      CKV_AZURE_116

      Security
      Medium

      Ensure that AKS uses Azure Policies Add-on

      CKV_AZURE_141

      Security
      Medium

      Ensure AKS local admin account is disabled

      CKV_AZURE_151

      Security
      Medium

      Ensure Windows VM enables encryption

      CKV_AZURE_44

      Security
      Medium

      Ensure Storage Account is using the latest version of TLS encryption

      CKV_AWS_249

      Best practice
      High

      Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions

      CKV_AWS_57

      Security
      Medium

      S3 Bucket has an ACL defined which allows public WRITE access.

      CKV_AWS_120

      Best practice
      High

      Ensure API Gateway caching is enabled

      CKV_AWS_73

      Best practice
      Medium

      Ensure API Gateway has X-Ray tracing enabled

      CKV_AWS_80

      Best practice
      High

      Ensure MSK Cluster logging is enabled

      CKV_K8S_21

      Best practice
      Medium

      The default namespace should not be used.

      CKV_K8S_29

      Security
      Minor

      Ensure securityContext is applied to pods and containers.

      CKV2_AWS_29

      Best practice
      High

      Ensure public API gateway are protected by AWS Web Application Firewall v2

      CKV2_AWS_4

      Best practice
      Medium

      Ensure API Gateway stage have logging level defined as appropriate

      CKV_AWS_133

      Security
      High

      Ensure RDS instances have backup policy

      CKV_AWS_178

      Security
      Medium

      Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)

      CKV_AWS_226

      Best practice
      High

      Ensure DB instance gets all minor upgrades automatically

      CKV_AWS_250

      Security
      Critical

      Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension

      CKV2_AWS_35

      Best practice
      High

      AWS NAT Gateways should be utilized for the default route