CKV_AWS_103
Ensure that load balancer is using TLS 1.2
Codiga Static Analysis engine checks all terraform code and surface security and safety issues as well as enforcement of best practices. No matter what cloud you use (AWS, GCP, Azure), Codiga got you covered and flags potential problems at every push and pull request.
Ensure that load balancer is using TLS 1.2
Ensure IAM policies does not allow credentials exposure
Ensure IAM policies does not allow data exfiltration
Ensure IAM policies does not allow permissions management / resource exposure without constraints
Ensure IAM policies does not allow privilege escalation
Ensure IAM policies does not allow write access without constraints
Ensure that AWS Lambda function is configured for function-level concurrent execution limit
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
Ensure that AWS Lambda function is configured inside a VPC
Ensure that enhanced monitoring is enabled for Amazon RDS instances
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK
Ensure that CloudFormation stacks are sending event notifications to an SNS topic
Ensure that detailed monitoring is enabled for EC2 instances
Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager
Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled
Ensure VPC subnets do not assign public IP by default
Ensure that ALB drops HTTP headers
Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on
Ensure that EC2 is EBS optimized
Ensure that ECR repositories are encrypted using KMS
Ensure that S3 bucket has cross-region replication enabled
Ensure that S3 buckets are encrypted with KMS by default
Ensure that CodeBuild projects are encrypted
Ensure no default VPC is planned to be provisioned
Ensure that Secrets Manager secret is encrypted using KMS
Ensure that Load Balancer has deletion protection enabled
Ensure that RDS instances have Multi-AZ enabled
Ensure that CloudWatch Log Group is encrypted by KMS
Ensure all data stored in the RDS is securely encrypted at rest
Ensure RDS database has IAM authentication enabled
Ensure ECR image scanning on push is enabled
Ensure SQS queue policy is not public by only allowing specific services or principals to access it
Ensure all data stored in RDS is not publicly accessible
Check encryption settings for Lambda environmental variable
Ensure the S3 bucket has access logging enabled
Ensure all data stored in the S3 bucket is securely encrypted at rest
Ensure ALB protocol is HTTPS
S3 Bucket has an ACL defined which allows public READ access.
Ensure all data stored in the S3 bucket have versioning enabled
Ensure every security groups rule has a description
Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389
Ensure all data stored in the SNS topic is encrypted
Ensure all data stored in the SQS queue is encrypted
Ensure Dynamodb point in time recovery (backup) is enabled
Ensure all data stored in the EBS is securely encrypted
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit
Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token
Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)
Ensure no hard coded AWS access key and secret key exists in provider
X-ray tracing is enabled for Lambda
Ensure ECR Image Tags are immutable
Ensure S3 bucket has MFA delete enabled
Ensure S3 bucket has block public policy enabled
Ensure S3 bucket has 'restrict\_public\_bucket' enabled
Ensure there is no open access to back-end resources through API
Ensure container insights are enabled on ECS cluster
Ensure that CloudWatch Log Group specifies retention days
CloudFront Distribution should have WAF enabled
Ensure rotation for customer created CMKs is enabled
Ensure API Gateway has Access Logging enabled
Ensure Instance Metadata Service Version 1 is not enabled
Ensure all data stored in the Launch configuration EBS is securely encrypted
Ensure Cloudfront distribution has Access Logging enabled
EC2 instance should not have public IP.
Ensure the ELBv2 (Application/Network) has access logging enabled
Ensure the ELB has access logging enabled
Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest
Ensure Network Policy is enabled on Kubernetes Engine Clusters
Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters
Ensure all Cloud SQL database instance have backup configuration enabled
Ensure GKE Control Plane is not public
Ensure GKE basic auth is disabled
Ensure Google compute firewall ingress does not allow unrestricted ssh access
Ensure master authorized networks is set to enabled in GKE clusters
Ensure Kubernetes Clusters are configured with Labels
Ensure Kubernetes Cluster is created with Alias IP ranges enabled
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters
Ensure Kubernetes Cluster is created with Private cluster enabled
Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network
Ensure that Cloud Storage buckets have uniform bucket-level access enabled
Ensure that instances are not configured to use the default service account
Ensure 'Block Project-wide SSH keys' is enabled for VM instances
Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)
Ensure Compute instances are launched with Shielded VM enabled
Ensure all Cloud SQL database instance requires all incoming connections to use SSL
Enable VPC Flow Logs and Intranode Visibility
Bucket should log access
Ensure clusters are created with Private Nodes
Manage Kubernetes RBAC users with Google Groups for GKE
Ensure use of Binary Authorization
Ensure legacy Compute Engine instance metadata APIs are Disabled
Ensure the GKE Metadata Server is Enabled
Ensure the GKE Release Channel is set
Ensure Shielded GKE Nodes are Enabled
Ensure Repository is Private
Ensure that all NACL are attached to subnets
Ensure VPC flow logging is enabled in all VPCs
Ensure the default security group of every VPC restricts all traffic
Ensure that Auto Scaling is enabled on your DynamoDB tables
Ensure that EC2 instances belong to a VPC
Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
Ensure that only encrypted EBS volumes are attached to EC2 instances
Ensure that ALB redirects HTTP requests into HTTPS ones
Route53 A Record has Attached Resource
Postgres RDS has Query Logging enabled
Ensure public facing ALB are protected by WAF
Ensure that Security Groups are attached to an other resource
Ensure that S3 bucket has a Public Access block
Ensure that EBS are added in the backup plans of AWS Backup
Ensure at least two approving reviews to merge
Ensure that 'HTTP Version' is the latest, if used to run the Function app
Ensure that Managed identity provider is enabled for app services
Ensure that app services use Azure Files
Ensure that virtual machines are backed up using Azure Backup
Ensure that Azure Active Directory Admin is configured
We use cookies to improve your site experience, including analytics cookies to understand how you use our product and design better experiences. Please read our Cookie Policy.