CKV_AWS_103
Best practice
Informational
Ensure that load balancer is using TLS 1.2
BACK TO LIST
Terraform rules
Codiga Static Analysis engine checks all terraform code and surface security and safety issues as well as enforcement of best practices. No matter what cloud you use (AWS, GCP, Azure), Codiga got you covered and flags potential problems at every push and pull request.
CKV_AWS_107
Best practice
Informational
Ensure IAM policies does not allow credentials exposure
CKV_AWS_108
Best practice
Informational
Ensure IAM policies does not allow data exfiltration
CKV_AWS_109
Best practice
Informational
Ensure IAM policies does not allow permissions management / resource exposure without constraints
CKV_AWS_110
Best practice
Informational
Ensure IAM policies does not allow privilege escalation
CKV_AWS_111
Best practice
Informational
Ensure IAM policies does not allow write access without constraints
CKV_AWS_115
Best practice
Informational
Ensure that AWS Lambda function is configured for function-level concurrent execution limit
CKV_AWS_116
Best practice
Informational
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
CKV_AWS_117
Best practice
Informational
Ensure that AWS Lambda function is configured inside a VPC
CKV_AWS_118
Best practice
Informational
Ensure that enhanced monitoring is enabled for Amazon RDS instances
CKV_AWS_119
Best practice
Informational
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK
CKV_AWS_124
Best practice
Informational
Ensure that CloudFormation stacks are sending event notifications to an SNS topic
CKV_AWS_126
Best practice
Informational
Ensure that detailed monitoring is enabled for EC2 instances
CKV_AWS_127
Best practice
Informational
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
CKV_AWS_129
Best practice
Informational
Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled
CKV_AWS_130
Best practice
Informational
Ensure VPC subnets do not assign public IP by default
CKV_AWS_131
Best practice
Informational
Ensure that ALB drops HTTP headers
CKV_AWS_134
Best practice
Informational
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
CKV_AWS_135
Best practice
Informational
Ensure that EC2 is EBS optimized
CKV_AWS_136
Best practice
Informational
Ensure that ECR repositories are encrypted using KMS
CKV_AWS_144
Best practice
Informational
Ensure that S3 bucket has cross-region replication enabled
CKV_AWS_145
Best practice
Informational
Ensure that S3 buckets are encrypted with KMS by default
CKV_AWS_147
Best practice
Informational
Ensure that CodeBuild projects are encrypted
CKV_AWS_148
Best practice
Informational
Ensure no default VPC is planned to be provisioned
CKV_AWS_149
Best practice
Informational
Ensure that Secrets Manager secret is encrypted using KMS
CKV_AWS_150
Best practice
Informational
Ensure that Load Balancer has deletion protection enabled
CKV_AWS_157
Best practice
Informational
Ensure that RDS instances have Multi-AZ enabled
CKV_AWS_158
Best practice
Informational
Ensure that CloudWatch Log Group is encrypted by KMS
CKV_AWS_16
Best practice
Informational
Ensure all data stored in the RDS is securely encrypted at rest
CKV_AWS_161
Best practice
Informational
Ensure RDS database has IAM authentication enabled
CKV_AWS_163
Best practice
Informational
Ensure ECR image scanning on push is enabled
CKV_AWS_168
Best practice
Informational
Ensure SQS queue policy is not public by only allowing specific services or principals to access it
CKV_AWS_17
Best practice
Informational
Ensure all data stored in RDS is not publicly accessible
CKV_AWS_173
Best practice
Informational
Check encryption settings for Lambda environmental variable
CKV_AWS_18
Best practice
Informational
Ensure the S3 bucket has access logging enabled
CKV_AWS_19
Best practice
Informational
Ensure all data stored in the S3 bucket is securely encrypted at rest
CKV_AWS_2
Best practice
Informational
Ensure ALB protocol is HTTPS
CKV_AWS_20
Best practice
Informational
S3 Bucket has an ACL defined which allows public READ access.
CKV_AWS_21
Best practice
Informational
Ensure all data stored in the S3 bucket have versioning enabled
CKV_AWS_23
Best practice
Informational
Ensure every security groups rule has a description
CKV_AWS_24
Best practice
Informational
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
CKV_AWS_25
Best practice
Informational
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389
CKV_AWS_26
Best practice
Informational
Ensure all data stored in the SNS topic is encrypted
CKV_AWS_27
Best practice
Informational
Ensure all data stored in the SQS queue is encrypted
CKV_AWS_28
Best practice
Informational
Ensure Dynamodb point in time recovery (backup) is enabled
CKV_AWS_3
Best practice
Informational
Ensure all data stored in the EBS is securely encrypted
CKV_AWS_30
Best practice
Informational
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit
CKV_AWS_31
Best practice
Informational
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token
CKV_AWS_34
Best practice
Informational
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
CKV_AWS_40
Best practice
Informational
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)
CKV_AWS_41
Best practice
Informational
Ensure no hard coded AWS access key and secret key exists in provider
CKV_AWS_50
Best practice
Informational
X-ray tracing is enabled for Lambda
CKV_AWS_51
Best practice
Informational
Ensure ECR Image Tags are immutable
CKV_AWS_52
Best practice
Informational
Ensure S3 bucket has MFA delete enabled
CKV_AWS_54
Best practice
Informational
Ensure S3 bucket has block public policy enabled
CKV_AWS_56
Best practice
Informational
Ensure S3 bucket has 'restrict\_public\_bucket' enabled
CKV_AWS_59
Best practice
Informational
Ensure there is no open access to back-end resources through API
CKV_AWS_65
Best practice
Informational
Ensure container insights are enabled on ECS cluster
CKV_AWS_66
Best practice
Informational
Ensure that CloudWatch Log Group specifies retention days
CKV_AWS_68
Best practice
Informational
CloudFront Distribution should have WAF enabled
CKV_AWS_7
Best practice
Informational
Ensure rotation for customer created CMKs is enabled
CKV_AWS_76
Best practice
Informational
Ensure API Gateway has Access Logging enabled
CKV_AWS_79
Best practice
Informational
Ensure Instance Metadata Service Version 1 is not enabled
CKV_AWS_8
Best practice
Informational
Ensure all data stored in the Launch configuration EBS is securely encrypted
CKV_AWS_86
Best practice
Informational
Ensure Cloudfront distribution has Access Logging enabled
CKV_AWS_88
Best practice
Informational
EC2 instance should not have public IP.
CKV_AWS_91
Best practice
Informational
Ensure the ELBv2 (Application/Network) has access logging enabled
CKV_AWS_92
Best practice
Informational
Ensure the ELB has access logging enabled
CKV_AWS_98
Best practice
Informational
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
CKV_GCP_12
Best practice
Informational
Ensure Network Policy is enabled on Kubernetes Engine Clusters
CKV_GCP_13
Best practice
Informational
Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters
CKV_GCP_14
Best practice
Informational
Ensure all Cloud SQL database instance have backup configuration enabled
CKV_GCP_18
Best practice
Informational
Ensure GKE Control Plane is not public
CKV_GCP_19
Best practice
Informational
Ensure GKE basic auth is disabled
CKV_GCP_2
Best practice
Informational
Ensure Google compute firewall ingress does not allow unrestricted ssh access
CKV_GCP_20
Best practice
Informational
Ensure master authorized networks is set to enabled in GKE clusters
CKV_GCP_21
Best practice
Informational
Ensure Kubernetes Clusters are configured with Labels
CKV_GCP_23
Best practice
Informational
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
CKV_GCP_24
Best practice
Informational
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
CKV_GCP_25
Best practice
Informational
Ensure Kubernetes Cluster is created with Private cluster enabled
CKV_GCP_26
Best practice
Informational
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
CKV_GCP_29
Best practice
Informational
Ensure that Cloud Storage buckets have uniform bucket-level access enabled
CKV_GCP_30
Best practice
Informational
Ensure that instances are not configured to use the default service account
CKV_GCP_32
Best practice
Informational
Ensure 'Block Project-wide SSH keys' is enabled for VM instances
CKV_GCP_38
Best practice
Informational
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
CKV_GCP_39
Best practice
Informational
Ensure Compute instances are launched with Shielded VM enabled
CKV_GCP_6
Best practice
Informational
Ensure all Cloud SQL database instance requires all incoming connections to use SSL
CKV_GCP_61
Best practice
Informational
Enable VPC Flow Logs and Intranode Visibility
CKV_GCP_62
Best practice
Informational
Bucket should log access
CKV_GCP_64
Best practice
Informational
Ensure clusters are created with Private Nodes
CKV_GCP_65
Best practice
Informational
Manage Kubernetes RBAC users with Google Groups for GKE
CKV_GCP_66
Best practice
Informational
Ensure use of Binary Authorization
CKV_GCP_67
Best practice
Informational
Ensure legacy Compute Engine instance metadata APIs are Disabled
CKV_GCP_69
Best practice
Informational
Ensure the GKE Metadata Server is Enabled
CKV_GCP_70
Best practice
Informational
Ensure the GKE Release Channel is set
CKV_GCP_71
Best practice
Informational
Ensure Shielded GKE Nodes are Enabled
CKV_GIT_1
Best practice
Informational
Ensure Repository is Private
CKV2_AWS_1
Best practice
Informational
Ensure that all NACL are attached to subnets
CKV2_AWS_11
Best practice
Informational
Ensure VPC flow logging is enabled in all VPCs
CKV2_AWS_12
Best practice
Informational
Ensure the default security group of every VPC restricts all traffic
CKV2_AWS_16
Best practice
Informational
Ensure that Auto Scaling is enabled on your DynamoDB tables
CKV2_AWS_17
Best practice
Informational
Ensure that EC2 instances belong to a VPC
CKV2_AWS_18
Best practice
Informational
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
CKV2_AWS_19
Best practice
Informational
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
CKV2_AWS_2
Best practice
Informational
Ensure that only encrypted EBS volumes are attached to EC2 instances
CKV2_AWS_20
Best practice
Informational
Ensure that ALB redirects HTTP requests into HTTPS ones
CKV2_AWS_23
Best practice
Informational
Route53 A Record has Attached Resource
CKV2_AWS_27
Best practice
Informational
Postgres RDS has Query Logging enabled
CKV2_AWS_28
Best practice
Informational
Ensure public facing ALB are protected by WAF
CKV2_AWS_5
Best practice
Informational
Ensure that Security Groups are attached to an other resource
CKV2_AWS_6
Best practice
Informational
Ensure that S3 bucket has a Public Access block
CKV2_AWS_9
Best practice
Informational
Ensure that EBS are added in the backup plans of AWS Backup
CKV_AWS_174
Best practice
Error
Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
CKV_AWS_186
Best practice
Error
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)
CKV_AWS_191
Best practice
Error
Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)
CKV_AWS_78
Security
Error
Ensure that CodeBuild Project encryption is not disabled
CKV2_AWS_32
Best practice
Error
Ensure CloudFront distribution has a strict security headers policy attached
CKV2_AWS_30
Safety
Error
Ensure Postgres RDS as aws_db_instance has Query Logging enabled
CKV2_AWS_34
Security
Critical
AWS SSM Parameter should be Encrypted
CKV_AWS_189
Security
Error
Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)
CKV_AWS_195
Security
Error
Ensure Glue component has a security configuration associated
CKV2_AWS_33
Security
Error
Ensure AppSync is protected by WAF
CKV_AZURE_102
Safety
Error
Ensure that PostgreSQL server enables geo-redundant backups
CKV_AZURE_109
Security
Warning
Ensure key vault allows firewall rules settings
CKV_AZURE_112
Safety
Error
Ensure key vault key is backed by HSM
CKV_AZURE_114
Best practice
Warning
Ensure key vault secrets have content_type set
CKV_AZURE_117
Security
Critical
Ensure that AKS uses disk encryption set
CKV_AZURE_118
Security
Error
Ensure that Network Interfaces disable IP forwarding
CKV_GIT_3
Security
Error
Ensure GitHub repository has vulnerability alerts enabled
CKV_GIT_4
Security
Critical
Ensure Secrets are encrypted
CKV_AZURE_43
Code style
Informational
Ensure Storage Accounts adhere to the naming rules
CKV_AZURE_49
Security
Error
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)
CKV_AZURE_5
Security
Error
Ensure RBAC is enabled on AKS clusters
CKV_AZURE_50
Security
Warning
Ensure Virtual Machine Extensions are not Installed
CKV_AZURE_120
Security
Warning
Ensure that Application Gateway enables WAF
CKV_AZURE_130
Security
Error
Ensure that PostgreSQL server enables infrastructure encryption
CKV_AZURE_135
Best practice
Critical
Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell
CKV_AZURE_29
Security
Error
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
CKV_AZURE_35
Security
Warning
Ensure default network access rule for Storage Accounts is set to deny
CKV_AZURE_36
Security
Error
Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
CKV_AZURE_40
Security
Error
Ensure that the expiration date is set on all keys
CKV_AZURE_68
Security
Error
Ensure that PostgreSQL server disables public network access
CKV_AZURE_97
Security
Error
Ensure that Virtual machine scale sets have encryption at host enabled
CKV2_AZURE_21
Security
Warning
Ensure Storage logging is enabled for Blob service for read requests
CKV2_AZURE_8
Security
Critical
Ensure the storage container storing the activity logs is not publicly accessible
CKV_AWS_184
Security
Error
Ensure resource is encrypted by KMS using a customer managed Key
CKV_AWS_42
Security
Error
Ensure EFS is securely encrypted
CKV_AWS_237
Best practice
Warning
Ensure Create before destroy for API GATEWAY
CKV_AWS_217
Best practice
Warning
Ensure Create before destroy for API deployments
CKV2_AZURE_22
Best practice
Warning
Ensure that Cognitive Services enables customer-managed key for encryption
CKV_AWS_219
Best practice
Warning
Ensure Code Pipeline Artifact store is using a KMS CMK
CKV_AWS_35
Best practice
Warning
Ensure CloudTrail logs are encrypted at rest using KMS CMKs
CKV_AWS_36
Best practice
Warning
Ensure AWS CloudTrail log validation is enabled in all regions.
CKV_AWS_252
Best practice
Warning
Ensure CloudTrail defines an SNS Topic.
CKV_AWS_67
Best practice
Warning
Ensure CloudTrail is enabled in all Regions
CKV2_AWS_10
Best practice
Warning
Ensure CloudTrail trails are integrated with CloudWatch Logs
CKV_AZURE_98
Best practice
Error
Ensure that Azure Container group is deployed into virtual network.
CKV_AZURE_116
Security
Warning
Ensure that AKS uses Azure Policies Add-on
CKV_AZURE_141
Security
Warning
Ensure AKS local admin account is disabled
CKV_AZURE_151
Security
Warning
Ensure Windows VM enables encryption
CKV_AZURE_44
Security
Warning
Ensure Storage Account is using the latest version of TLS encryption
CKV_AWS_249
Best practice
Error
Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions
CKV_AWS_57
Security
Warning
S3 Bucket has an ACL defined which allows public WRITE access.
CKV_AWS_120
Best practice
Error
Ensure API Gateway caching is enabled
CKV_AWS_73
Best practice
Warning
Ensure API Gateway has X-Ray tracing enabled
CKV_AWS_80
Best practice
Error
Ensure MSK Cluster logging is enabled
CKV_K8S_21
Best practice
Warning
The default namespace should not be used.
CKV_K8S_29
Security
Informational
Ensure securityContext is applied to pods and containers.
CKV2_AWS_29
Best practice
Error
Ensure public API gateway are protected by AWS Web Application Firewall v2
CKV2_AWS_4
Best practice
Warning
Ensure API Gateway stage have logging level defined as appropriate
CKV_AWS_133
Security
Error
Ensure RDS instances have backup policy
CKV_AWS_178
Security
Warning
Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)
CKV_AWS_226
Best practice
Error
Ensure DB instance gets all minor upgrades automatically
CKV_AWS_250
Security
Critical
Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension
CKV2_AWS_35
Best practice
Error
AWS NAT Gateways should be utilized for the default route
CKV_AWS_247
Security
Error
Ensure all data stored in the Elasticsearch is encrypted with a CMK
CKV_AZURE_34
Security
Error
Ensure that 'Public access level' is set to Private for blob containers
CKV_AZURE_41
Security
Error
Ensure secrets have an expiration date set
CKV2_AWS_3
Security
Warning
Ensure GuardDuty is enbaled to specific org/region
CKV2_AZURE_20
Security
Warning
Ensure Azure storage account logging for tables is enabled
CKV_AWS_260
Security
Error
Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
CKV_AZURE_134
Best practice
Warning
Ensure that Cognitive Services accounts disable public network access.
CKV_AWS_106
Security
Error
Ensure EBS default encryption is enabled
CKV_AWS_128
Security
Error
Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled
CKV_AWS_137
Security
Warning
Ensure that Elasticsearch is configured inside a VPC
CKV_AWS_139
Safety
Warning
Ensure that RDS clusters have deletion protection enabled
CKV_AWS_142
Security
Warning
Ensure Redshift cluster is encrypted by KMS
CKV_AWS_162
Security
Warning
Ensure RDS cluster has IAM authentication enabled
CKV_AWS_179
Security
Warning
Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)
CKV_AWS_188
Security
Warning
Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK)
CKV_AWS_216
Error prone
Informational
Ensure Cloudfront distribution is enabled
CKV_AWS_228
Security
Warning
Verify Elasticsearch domain is using an up to date TLS policy
CKV_AWS_248
Security
Warning
Ensure that Elasticsearch is not using the default Security Group
CKV_AWS_33
Security
Warning
Ensure KMS key policy does not contain wildcard (*) principal
CKV_AWS_71
Security
Warning
Ensure AWS Redshift database has audit logging enabled
CKV_AWS_84
Security
Warning
Ensure Elasticsearch Domain Logging is enabled
CKV_AWS_87
Security
Critical
Ensure Amazon Redshift clusters are not publicly accessible
CKV_AWS_96
Security
Critical
Ensure all data stored in Aurora is securely encrypted at rest
CKV_GLB_4
Best practice
Warning
Ensure commits are signed
CKV_GLB_1
Best practice
Informational
Ensure at least two approving reviews to merge
CKV_GIT_6
Security
Warning
Ensure all commits GPG signed
CKV_GIT_5
Security
Informational
Ensure at least two approving reviews for PRs
CKV_AZURE_1
Security
Critical
Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)
CKV_AZURE_103
Security
Warning
Ensure that Azure Data Factory uses Git repository for source control
CKV_AZURE_104
Security
Error
Ensure Azure Data factory public network access is disabled
CKV_AZURE_110
Security
Warning
Ensure that key vault enables purge protection
CKV_AZURE_13
Security
Error
Ensure App Service Authentication is set on Azure App Service
CKV_AZURE_16
Security
Warning
Ensure App Service is registered with an Azure Active Directory account
CKV_AZURE_17
Security
Warning
Ensure the web app has certificates set
CKV_AZURE_18
Security
Warning
Ensure that 'HTTP Version' is the latest if used to run the web app
CKV_AZURE_24
Best practice
Error
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
CKV_AZURE_3
Security
Error
Ensure that 'Secure transfer required' is set to 'Enabled'
CKV_AZURE_33
Security
Error
Ensure Storage logging is enabled for Queue service for read, write and delete requests
CKV_AZURE_42
Safety
Error
Ensure the key vault is recoverable
CKV_AZURE_56
Security
Error
Ensure that function apps enables Authentication
CKV_AZURE_60
Security
Error
Ensure secure transfer required is enabled
CKV_AZURE_63
Security
Informational
Ensure that App service enables HTTP logging
CKV_AZURE_65
Best practice
Warning
Ensure app service enables detailed error messages
CKV_AZURE_66
Best practice
Warning
Ensure app service enables failed request tracing
CKV_AZURE_67
Best practice
Informational
Ensure that 'HTTP Version' is the latest, if used to run the Function app
CKV_AZURE_70
Security
Warning
Ensure function apps are only accessible over HTTPS
CKV_AZURE_71
Best practice
Informational
Ensure that Managed identity provider is enabled for app services
CKV_AZURE_78
Security
Error
Ensure FTP deployments are disabled
CKV_AZURE_80
Security
Informational
Ensure that 'Net Framework' version is the latest, if used as a part of the web app
CKV_AZURE_88
Best practice
Informational
Ensure that app services use Azure Files
CKV2_AWS_8
Best practice
Warning
Ensure RDS clusters have an AWS Backup backup plan
CKV2_AZURE_1
Security
Error
Ensure storage for critical data are encrypted with Customer Managed Key
CKV2_AZURE_10
Security
Informational
Ensure Microsoft Antimalware is configured to automatically update Virtual Machines
CKV2_AZURE_12
Best practice
Informational
Ensure that virtual machines are backed up using Azure Backup
CKV2_AZURE_15
Security
Informational
Ensure that Azure data factories are encrypted with a customer-managed key
CKV2_AZURE_18
Security
Warning
Ensure that Storage Accounts use customer-managed key for encryption
CKV2_AZURE_2
Security
Warning
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
CKV2_AZURE_7
Best practice
Informational
Ensure that Azure Active Directory Admin is configured
CKV2_AZURE_9
Best practice
Warning
Ensure Virtual Machines are utilizing Managed Disks
CKV_AWS_6
Best practice
Warning
Ensure all Elasticsearch has node-to-node encryption enabled
CKV_AWS_261
Safety
Error
Ensure HTTP HTTPS Target group defines Healthcheck