facebook pixelCodiga Analysis Terraform Rules
BACK TO LIST

Terraform rules

Codiga Static Analysis engine checks all terraform code and surface security and safety issues as well as enforcement of best practices. No matter what cloud you use (AWS, GCP, Azure), Codiga got you covered and flags potential problems at every push and pull request.

CKV_AWS_103

Best practice
Informational

Ensure that load balancer is using TLS 1.2

Learn more

CKV_AWS_107

Best practice
Informational

Ensure IAM policies does not allow credentials exposure

CKV_AWS_108

Best practice
Informational

Ensure IAM policies does not allow data exfiltration

CKV_AWS_109

Best practice
Informational

Ensure IAM policies does not allow permissions management / resource exposure without constraints

CKV_AWS_110

Best practice
Informational

Ensure IAM policies does not allow privilege escalation

CKV_AWS_111

Best practice
Informational

Ensure IAM policies does not allow write access without constraints

CKV_AWS_115

Best practice
Informational

Ensure that AWS Lambda function is configured for function-level concurrent execution limit

CKV_AWS_116

Best practice
Informational

Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

CKV_AWS_117

Best practice
Informational

Ensure that AWS Lambda function is configured inside a VPC

CKV_AWS_118

Best practice
Informational

Ensure that enhanced monitoring is enabled for Amazon RDS instances

CKV_AWS_119

Best practice
Informational

Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK

CKV_AWS_124

Best practice
Informational

Ensure that CloudFormation stacks are sending event notifications to an SNS topic

CKV_AWS_126

Best practice
Informational

Ensure that detailed monitoring is enabled for EC2 instances

CKV_AWS_127

Best practice
Informational

Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager

CKV_AWS_129

Best practice
Informational

Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled

CKV_AWS_130

Best practice
Informational

Ensure VPC subnets do not assign public IP by default

CKV_AWS_131

Best practice
Informational

Ensure that ALB drops HTTP headers

CKV_AWS_134

Best practice
Informational

Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on

CKV_AWS_135

Best practice
Informational

Ensure that EC2 is EBS optimized

CKV_AWS_136

Best practice
Informational

Ensure that ECR repositories are encrypted using KMS

CKV_AWS_144

Best practice
Informational

Ensure that S3 bucket has cross-region replication enabled

CKV_AWS_145

Best practice
Informational

Ensure that S3 buckets are encrypted with KMS by default

CKV_AWS_147

Best practice
Informational

Ensure that CodeBuild projects are encrypted

CKV_AWS_148

Best practice
Informational

Ensure no default VPC is planned to be provisioned

CKV_AWS_149

Best practice
Informational

Ensure that Secrets Manager secret is encrypted using KMS

CKV_AWS_150

Best practice
Informational

Ensure that Load Balancer has deletion protection enabled

CKV_AWS_157

Best practice
Informational

Ensure that RDS instances have Multi-AZ enabled

CKV_AWS_158

Best practice
Informational

Ensure that CloudWatch Log Group is encrypted by KMS

CKV_AWS_16

Best practice
Informational

Ensure all data stored in the RDS is securely encrypted at rest

CKV_AWS_161

Best practice
Informational

Ensure RDS database has IAM authentication enabled

CKV_AWS_163

Best practice
Informational

Ensure ECR image scanning on push is enabled

CKV_AWS_168

Best practice
Informational

Ensure SQS queue policy is not public by only allowing specific services or principals to access it

CKV_AWS_17

Best practice
Informational

Ensure all data stored in RDS is not publicly accessible

CKV_AWS_173

Best practice
Informational

Check encryption settings for Lambda environmental variable

CKV_AWS_18

Best practice
Informational

Ensure the S3 bucket has access logging enabled

CKV_AWS_19

Best practice
Informational

Ensure all data stored in the S3 bucket is securely encrypted at rest

CKV_AWS_2

Best practice
Informational

Ensure ALB protocol is HTTPS

CKV_AWS_20

Best practice
Informational

S3 Bucket has an ACL defined which allows public READ access.

CKV_AWS_21

Best practice
Informational

Ensure all data stored in the S3 bucket have versioning enabled

CKV_AWS_23

Best practice
Informational

Ensure every security groups rule has a description

CKV_AWS_24

Best practice
Informational

Ensure no security groups allow ingress from 0.0.0.0:0 to port 22

CKV_AWS_25

Best practice
Informational

Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389

CKV_AWS_26

Best practice
Informational

Ensure all data stored in the SNS topic is encrypted

CKV_AWS_27

Best practice
Informational

Ensure all data stored in the SQS queue is encrypted

CKV_AWS_28

Best practice
Informational

Ensure Dynamodb point in time recovery (backup) is enabled

CKV_AWS_3

Best practice
Informational

Ensure all data stored in the EBS is securely encrypted

CKV_AWS_30

Best practice
Informational

Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit

CKV_AWS_31

Best practice
Informational

Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token

CKV_AWS_34

Best practice
Informational

Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS

CKV_AWS_40

Best practice
Informational

Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)

CKV_AWS_41

Best practice
Informational

Ensure no hard coded AWS access key and secret key exists in provider

CKV_AWS_50

Best practice
Informational

X-ray tracing is enabled for Lambda

CKV_AWS_51

Best practice
Informational

Ensure ECR Image Tags are immutable

CKV_AWS_52

Best practice
Informational

Ensure S3 bucket has MFA delete enabled

CKV_AWS_54

Best practice
Informational

Ensure S3 bucket has block public policy enabled

CKV_AWS_56

Best practice
Informational

Ensure S3 bucket has 'restrict\_public\_bucket' enabled

CKV_AWS_59

Best practice
Informational

Ensure there is no open access to back-end resources through API

CKV_AWS_65

Best practice
Informational

Ensure container insights are enabled on ECS cluster

CKV_AWS_66

Best practice
Informational

Ensure that CloudWatch Log Group specifies retention days

CKV_AWS_68

Best practice
Informational

CloudFront Distribution should have WAF enabled

CKV_AWS_7

Best practice
Informational

Ensure rotation for customer created CMKs is enabled

CKV_AWS_76

Best practice
Informational

Ensure API Gateway has Access Logging enabled

CKV_AWS_79

Best practice
Informational

Ensure Instance Metadata Service Version 1 is not enabled

CKV_AWS_8

Best practice
Informational

Ensure all data stored in the Launch configuration EBS is securely encrypted

CKV_AWS_86

Best practice
Informational

Ensure Cloudfront distribution has Access Logging enabled

CKV_AWS_88

Best practice
Informational

EC2 instance should not have public IP.

CKV_AWS_91

Best practice
Informational

Ensure the ELBv2 (Application/Network) has access logging enabled

CKV_AWS_92

Best practice
Informational

Ensure the ELB has access logging enabled

CKV_AWS_98

Best practice
Informational

Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest

CKV_GCP_12

Best practice
Informational

Ensure Network Policy is enabled on Kubernetes Engine Clusters

CKV_GCP_13

Best practice
Informational

Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters

CKV_GCP_14

Best practice
Informational

Ensure all Cloud SQL database instance have backup configuration enabled

CKV_GCP_18

Best practice
Informational

Ensure GKE Control Plane is not public

CKV_GCP_19

Best practice
Informational

Ensure GKE basic auth is disabled

CKV_GCP_2

Best practice
Informational

Ensure Google compute firewall ingress does not allow unrestricted ssh access

CKV_GCP_20

Best practice
Informational

Ensure master authorized networks is set to enabled in GKE clusters

CKV_GCP_21

Best practice
Informational

Ensure Kubernetes Clusters are configured with Labels

CKV_GCP_23

Best practice
Informational

Ensure Kubernetes Cluster is created with Alias IP ranges enabled

CKV_GCP_24

Best practice
Informational

Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters

CKV_GCP_25

Best practice
Informational

Ensure Kubernetes Cluster is created with Private cluster enabled

CKV_GCP_26

Best practice
Informational

Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network

CKV_GCP_29

Best practice
Informational

Ensure that Cloud Storage buckets have uniform bucket-level access enabled

CKV_GCP_30

Best practice
Informational

Ensure that instances are not configured to use the default service account

CKV_GCP_32

Best practice
Informational

Ensure 'Block Project-wide SSH keys' is enabled for VM instances

CKV_GCP_38

Best practice
Informational

Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)

CKV_GCP_39

Best practice
Informational

Ensure Compute instances are launched with Shielded VM enabled

CKV_GCP_6

Best practice
Informational

Ensure all Cloud SQL database instance requires all incoming connections to use SSL

CKV_GCP_61

Best practice
Informational

Enable VPC Flow Logs and Intranode Visibility

CKV_GCP_62

Best practice
Informational

Bucket should log access

CKV_GCP_64

Best practice
Informational

Ensure clusters are created with Private Nodes

CKV_GCP_65

Best practice
Informational

Manage Kubernetes RBAC users with Google Groups for GKE

CKV_GCP_66

Best practice
Informational

Ensure use of Binary Authorization

CKV_GCP_67

Best practice
Informational

Ensure legacy Compute Engine instance metadata APIs are Disabled

CKV_GCP_69

Best practice
Informational

Ensure the GKE Metadata Server is Enabled

CKV_GCP_70

Best practice
Informational

Ensure the GKE Release Channel is set

CKV_GCP_71

Best practice
Informational

Ensure Shielded GKE Nodes are Enabled

CKV_GIT_1

Best practice
Informational

Ensure Repository is Private

CKV2_AWS_1

Best practice
Informational

Ensure that all NACL are attached to subnets

CKV2_AWS_11

Best practice
Informational

Ensure VPC flow logging is enabled in all VPCs

CKV2_AWS_12

Best practice
Informational

Ensure the default security group of every VPC restricts all traffic

CKV2_AWS_16

Best practice
Informational

Ensure that Auto Scaling is enabled on your DynamoDB tables

CKV2_AWS_17

Best practice
Informational

Ensure that EC2 instances belong to a VPC

CKV2_AWS_18

Best practice
Informational

Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup

CKV2_AWS_19

Best practice
Informational

Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances

CKV2_AWS_2

Best practice
Informational

Ensure that only encrypted EBS volumes are attached to EC2 instances

CKV2_AWS_20

Best practice
Informational

Ensure that ALB redirects HTTP requests into HTTPS ones

CKV2_AWS_23

Best practice
Informational

Route53 A Record has Attached Resource

CKV2_AWS_27

Best practice
Informational

Postgres RDS has Query Logging enabled

CKV2_AWS_28

Best practice
Informational

Ensure public facing ALB are protected by WAF

CKV2_AWS_5

Best practice
Informational

Ensure that Security Groups are attached to an other resource

CKV2_AWS_6

Best practice
Informational

Ensure that S3 bucket has a Public Access block

CKV2_AWS_9

Best practice
Informational

Ensure that EBS are added in the backup plans of AWS Backup

CKV_AWS_174

Best practice
Error

Verify CloudFront Distribution Viewer Certificate is using TLS v1.2

CKV_AWS_186

Best practice
Error

Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)

CKV_AWS_191

Best practice
Error

Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)

CKV_AWS_78

Security
Error

Ensure that CodeBuild Project encryption is not disabled

CKV2_AWS_32

Best practice
Error

Ensure CloudFront distribution has a strict security headers policy attached

CKV2_AWS_30

Safety
Error

Ensure Postgres RDS as aws_db_instance has Query Logging enabled

CKV2_AWS_34

Security
Critical

AWS SSM Parameter should be Encrypted

CKV_AWS_189

Security
Error

Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)

CKV_AWS_195

Security
Error

Ensure Glue component has a security configuration associated

CKV2_AWS_33

Security
Error

Ensure AppSync is protected by WAF

CKV_AZURE_102

Safety
Error

Ensure that PostgreSQL server enables geo-redundant backups

CKV_AZURE_109

Security
Warning

Ensure key vault allows firewall rules settings

CKV_AZURE_112

Safety
Error

Ensure key vault key is backed by HSM

CKV_AZURE_114

Best practice
Warning

Ensure key vault secrets have content_type set

CKV_AZURE_117

Security
Critical

Ensure that AKS uses disk encryption set

CKV_AZURE_118

Security
Error

Ensure that Network Interfaces disable IP forwarding

CKV_GIT_3

Security
Error

Ensure GitHub repository has vulnerability alerts enabled

CKV_GIT_4

Security
Critical

Ensure Secrets are encrypted

CKV_AZURE_43

Code style
Informational

Ensure Storage Accounts adhere to the naming rules

CKV_AZURE_49

Security
Error

Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)

CKV_AZURE_5

Security
Error

Ensure RBAC is enabled on AKS clusters

CKV_AZURE_50

Security
Warning

Ensure Virtual Machine Extensions are not Installed

CKV_AZURE_120

Security
Warning

Ensure that Application Gateway enables WAF

CKV_AZURE_130

Security
Error

Ensure that PostgreSQL server enables infrastructure encryption

CKV_AZURE_135

Best practice
Critical

Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell

CKV_AZURE_29

Security
Error

Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server

CKV_AZURE_35

Security
Warning

Ensure default network access rule for Storage Accounts is set to deny

CKV_AZURE_36

Security
Error

Ensure 'Trusted Microsoft Services' is enabled for Storage Account access

CKV_AZURE_40

Security
Error

Ensure that the expiration date is set on all keys

CKV_AZURE_68

Security
Error

Ensure that PostgreSQL server disables public network access

CKV_AZURE_97

Security
Error

Ensure that Virtual machine scale sets have encryption at host enabled

CKV2_AZURE_21

Security
Warning

Ensure Storage logging is enabled for Blob service for read requests

CKV2_AZURE_8

Security
Critical

Ensure the storage container storing the activity logs is not publicly accessible

CKV_AWS_184

Security
Error

Ensure resource is encrypted by KMS using a customer managed Key

CKV_AWS_42

Security
Error

Ensure EFS is securely encrypted

CKV_AWS_237

Best practice
Warning

Ensure Create before destroy for API GATEWAY

CKV_AWS_217

Best practice
Warning

Ensure Create before destroy for API deployments

CKV2_AZURE_22

Best practice
Warning

Ensure that Cognitive Services enables customer-managed key for encryption

CKV_AWS_219

Best practice
Warning

Ensure Code Pipeline Artifact store is using a KMS CMK

CKV_AWS_35

Best practice
Warning

Ensure CloudTrail logs are encrypted at rest using KMS CMKs

CKV_AWS_36

Best practice
Warning

Ensure AWS CloudTrail log validation is enabled in all regions.

CKV_AWS_252

Best practice
Warning

Ensure CloudTrail defines an SNS Topic.

CKV_AWS_67

Best practice
Warning

Ensure CloudTrail is enabled in all Regions

CKV2_AWS_10

Best practice
Warning

Ensure CloudTrail trails are integrated with CloudWatch Logs

CKV_AZURE_98

Best practice
Error

Ensure that Azure Container group is deployed into virtual network.

CKV_AZURE_116

Security
Warning

Ensure that AKS uses Azure Policies Add-on

CKV_AZURE_141

Security
Warning

Ensure AKS local admin account is disabled

CKV_AZURE_151

Security
Warning

Ensure Windows VM enables encryption

CKV_AZURE_44

Security
Warning

Ensure Storage Account is using the latest version of TLS encryption

CKV_AWS_249

Best practice
Error

Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions

CKV_AWS_57

Security
Warning

S3 Bucket has an ACL defined which allows public WRITE access.

CKV_AWS_120

Best practice
Error

Ensure API Gateway caching is enabled

CKV_AWS_73

Best practice
Warning

Ensure API Gateway has X-Ray tracing enabled

CKV_AWS_80

Best practice
Error

Ensure MSK Cluster logging is enabled

CKV_K8S_21

Best practice
Warning

The default namespace should not be used.

CKV_K8S_29

Security
Informational

Ensure securityContext is applied to pods and containers.

CKV2_AWS_29

Best practice
Error

Ensure public API gateway are protected by AWS Web Application Firewall v2

CKV2_AWS_4

Best practice
Warning

Ensure API Gateway stage have logging level defined as appropriate

CKV_AWS_133

Security
Error

Ensure RDS instances have backup policy

CKV_AWS_178

Security
Warning

Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)

CKV_AWS_226

Best practice
Error

Ensure DB instance gets all minor upgrades automatically

CKV_AWS_250

Security
Critical

Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension

CKV2_AWS_35

Best practice
Error

AWS NAT Gateways should be utilized for the default route

CKV_AWS_247

Security
Error

Ensure all data stored in the Elasticsearch is encrypted with a CMK

CKV_AZURE_34

Security
Error

Ensure that 'Public access level' is set to Private for blob containers

CKV_AZURE_41

Security
Error

Ensure secrets have an expiration date set

CKV2_AWS_3

Security
Warning

Ensure GuardDuty is enbaled to specific org/region

CKV2_AZURE_20

Security
Warning

Ensure Azure storage account logging for tables is enabled

CKV_AWS_260

Security
Error

Ensure no security groups allow ingress from 0.0.0.0:0 to port 80

CKV_AZURE_134

Best practice
Warning

Ensure that Cognitive Services accounts disable public network access.

CKV_AWS_106

Security
Error

Ensure EBS default encryption is enabled

CKV_AWS_128

Security
Error

Ensure Amazon RDS clusters and instances have AWS IAM authentication enabled

CKV_AWS_137

Security
Warning

Ensure that Elasticsearch is configured inside a VPC

CKV_AWS_139

Safety
Warning

Ensure that RDS clusters have deletion protection enabled

CKV_AWS_142

Security
Warning

Ensure Redshift cluster is encrypted by KMS

CKV_AWS_162

Security
Warning

Ensure RDS cluster has IAM authentication enabled

CKV_AWS_179

Security
Warning

Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)

CKV_AWS_188

Security
Warning

Ensure RedShift Cluster is encrypted by KMS using a customer managed Key (CMK)

CKV_AWS_216

Error prone
Informational

Ensure Cloudfront distribution is enabled

CKV_AWS_228

Security
Warning

Verify Elasticsearch domain is using an up to date TLS policy

CKV_AWS_248

Security
Warning

Ensure that Elasticsearch is not using the default Security Group

CKV_AWS_33

Security
Warning

Ensure KMS key policy does not contain wildcard (*) principal

CKV_AWS_71

Security
Warning

Ensure AWS Redshift database has audit logging enabled

CKV_AWS_84

Security
Warning

Ensure Elasticsearch Domain Logging is enabled

CKV_AWS_87

Security
Critical

Ensure Amazon Redshift clusters are not publicly accessible

CKV_AWS_96

Security
Critical

Ensure all data stored in Aurora is securely encrypted at rest

CKV_GLB_4

Best practice
Warning

Ensure commits are signed

CKV_GLB_1

Best practice
Informational

Ensure at least two approving reviews to merge

CKV_GIT_6

Security
Warning

Ensure all commits GPG signed

CKV_GIT_5

Security
Informational

Ensure at least two approving reviews for PRs

CKV_AZURE_1

Security
Critical

Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)

CKV_AZURE_103

Security
Warning

Ensure that Azure Data Factory uses Git repository for source control

CKV_AZURE_104

Security
Error

Ensure Azure Data factory public network access is disabled

CKV_AZURE_110

Security
Warning

Ensure that key vault enables purge protection

CKV_AZURE_13

Security
Error

Ensure App Service Authentication is set on Azure App Service

CKV_AZURE_16

Security
Warning

Ensure App Service is registered with an Azure Active Directory account

CKV_AZURE_17

Security
Warning

Ensure the web app has certificates set

CKV_AZURE_18

Security
Warning

Ensure that 'HTTP Version' is the latest if used to run the web app

CKV_AZURE_24

Best practice
Error

Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers

CKV_AZURE_3

Security
Error

Ensure that 'Secure transfer required' is set to 'Enabled'

CKV_AZURE_33

Security
Error

Ensure Storage logging is enabled for Queue service for read, write and delete requests

CKV_AZURE_42

Safety
Error

Ensure the key vault is recoverable

CKV_AZURE_56

Security
Error

Ensure that function apps enables Authentication

CKV_AZURE_60

Security
Error

Ensure secure transfer required is enabled

CKV_AZURE_63

Security
Informational

Ensure that App service enables HTTP logging

CKV_AZURE_65

Best practice
Warning

Ensure app service enables detailed error messages

CKV_AZURE_66

Best practice
Warning

Ensure app service enables failed request tracing

CKV_AZURE_67

Best practice
Informational

Ensure that 'HTTP Version' is the latest, if used to run the Function app

CKV_AZURE_70

Security
Warning

Ensure function apps are only accessible over HTTPS

CKV_AZURE_71

Best practice
Informational

Ensure that Managed identity provider is enabled for app services

CKV_AZURE_78

Security
Error

Ensure FTP deployments are disabled

CKV_AZURE_80

Security
Informational

Ensure that 'Net Framework' version is the latest, if used as a part of the web app

CKV_AZURE_88

Best practice
Informational

Ensure that app services use Azure Files

CKV2_AWS_8

Best practice
Warning

Ensure RDS clusters have an AWS Backup backup plan

CKV2_AZURE_1

Security
Error

Ensure storage for critical data are encrypted with Customer Managed Key

CKV2_AZURE_10

Security
Informational

Ensure Microsoft Antimalware is configured to automatically update Virtual Machines

CKV2_AZURE_12

Best practice
Informational

Ensure that virtual machines are backed up using Azure Backup

CKV2_AZURE_15

Security
Informational

Ensure that Azure data factories are encrypted with a customer-managed key

CKV2_AZURE_18

Security
Warning

Ensure that Storage Accounts use customer-managed key for encryption

CKV2_AZURE_2

Security
Warning

Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account

CKV2_AZURE_7

Best practice
Informational

Ensure that Azure Active Directory Admin is configured

CKV2_AZURE_9

Best practice
Warning

Ensure Virtual Machines are utilizing Managed Disks

CKV_AWS_6

Best practice
Warning

Ensure all Elasticsearch has node-to-node encryption enabled

CKV_AWS_261

Safety
Error

Ensure HTTP HTTPS Target group defines Healthcheck