Skip to content

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

License

Notifications You must be signed in to change notification settings

byronjwatson/terragoat

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TerraGoat - Vulnerable Terraform Infrastructure

Maintained by Bridgecrew.io Infrastructure Tests CIS Azure CIS GCP CIS AWS PCI Terraform Version slack-community

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. Terragoat

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Table of Contents

Introduction

TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Important notes

Before you proceed please take a not of these warning:

⚠️ TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.

Requirements

  • Terraform 0.12
  • aws cli
  • azure cli

To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.

Getting started

AWS Setup

Installation (AWS)

You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment.

Create an S3 Bucket backend to keep Terraform state

export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region="us-west-2"

aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
    --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region

# Enable versioning
aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled

# Enable encryption
aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms"
      }
    }
  ]
}'

Apply TerraGoat (AWS)

cd terraform/aws/
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"

terraform apply

Remove TerraGoat (AWS)

terraform destroy

Creating multiple TerraGoat AWS stacks

cd terraform/aws/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region"

    terraform apply -auto-approve
done

Deleting multiple TerraGoat stacks (AWS)

cd terraform/aws/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region"

    terraform destroy -auto-approve
done

Azure Setup

Installation (Azure)

You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment.

Create an Azure Storage Account backend to keep Terraform state

export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG"
export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa"
export TERRAGOAT_STATE_CONTAINER="mydevsecops"
export TF_VAR_environment="dev"
export TF_VAR_region="westus"

# Create resource group
az group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP

# Create storage account
az storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob

# Get storage account key
ACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)

# Create blob container
az storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY

Apply TerraGoat (Azure)

cd terraform/azure/
terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \
    -backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \
    -backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \
    -backend-config "key=$TF_VAR_environment.terraform.tfstate"

terraform apply

Remove TerraGoat (Azure)

terraform destroy

GCP Setup

Installation (GCP)

You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment.

Create a GCS backend to keep Terraform state

To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:

  1. Sign into your GCP project, go to IAM > Service Accounts.
  2. Click the CREATE SERVICE ACCOUNT.
  3. Give a name to your service account (for example - terragoat) and click CREATE.
  4. Grant the Service Account the Project > Editor role and click CONTINUE.
  5. Click DONE.

To create the credentials:

  1. Sign into your GCP project, go to IAM > Service Accounts and click on the relevant Service Account.
  2. Click ADD KEY > Create new key > JSON and click CREATE. This will create a .json file and download it to your computer.

We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json), and storing the resulting JSON file inside terraform/gcp directory of terragoat. Once the credentials are set up, create the BE configuration as follows:

export TF_VAR_environment="dev"
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=<YOUR_PROJECT_NAME_HERE>

# Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}

Apply TerraGoat (GCP)

cd terraform/gcp/
terraform init -reconfigure -backend-config="bucket=$TF_TERRAGOAT_STATE_BUCKET" \
    -backend-config "credentials=$TF_VAR_credentials_path" \
    -backend-config "prefix=terragoat/${TF_VAR_environment}"

terraform apply

Remove TerraGoat (GCP)

terraform destroy

Bridgecrew's IaC herd of goats

  • CfnGoat - Vulnerable by design Cloudformation template
  • TerraGoat - Vulnerable by design Terraform stack
  • CDKGoat - Vulnerable by design CDK application
  • kustomizegoat - Vulnerable by design kustomize deployment

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at [email protected].

Existing vulnerabilities (Auto-Generated)

terraform scan results:

check_id file resource check_name guideline
0 CKV_ALI_10 /alicloud/bucket.tf alicloud_oss_bucket.bad_bucket Ensure OSS bucket has versioning enabled
1 CKV_ALI_12 /alicloud/bucket.tf alicloud_oss_bucket.bad_bucket Ensure the OSS bucket has access logging enabled
2 CKV_ALI_11 /alicloud/bucket.tf alicloud_oss_bucket.bad_bucket Ensure OSS bucket has transfer Acceleration enabled
3 CKV_ALI_1 /alicloud/bucket.tf alicloud_oss_bucket.bad_bucket Alibaba Cloud OSS bucket accessible to public
4 CKV_ALI_6 /alicloud/bucket.tf alicloud_oss_bucket.bad_bucket Ensure OSS bucket is encrypted with Customer Master Key
5 CKV_ALI_36 /alicloud/rds.tf alicloud_db_instance.seeme Ensure RDS instance has log_disconnections enabled
6 CKV_ALI_37 /alicloud/rds.tf alicloud_db_instance.seeme Ensure RDS instance has log_connections enabled
7 CKV_ALI_34 /alicloud/rds.tf alicloud_db_instance.seeme Ensure RDS instance is set to auto upgrade minor versions
8 CKV_ALI_20 /alicloud/rds.tf alicloud_db_instance.seeme Ensure RDS instance uses SSL
9 CKV_ALI_30 /alicloud/rds.tf alicloud_db_instance.seeme Ensure RDS instance auto upgrades for minor versions
10 CKV_ALI_35 /alicloud/rds.tf alicloud_db_instance.seeme Ensure RDS instance has log_duration enabled
11 CKV_ALI_9 /alicloud/rds.tf alicloud_db_instance.seeme Ensure database instance is not public
12 CKV_ALI_25 /alicloud/rds.tf alicloud_db_instance.seeme Ensure RDS Instance SQL Collector Retention Period should be greater than 180
13 CKV_ALI_4 /alicloud/trail.tf alicloud_actiontrail_trail.fail Ensure Action Trail Logging for all regions
14 CKV_ALI_5 /alicloud/trail.tf alicloud_actiontrail_trail.fail Ensure Action Trail Logging for all events
15 CKV_ALI_10 /alicloud/trail.tf alicloud_oss_bucket.trail Ensure OSS bucket has versioning enabled
16 CKV_ALI_12 /alicloud/trail.tf alicloud_oss_bucket.trail Ensure the OSS bucket has access logging enabled
17 CKV_ALI_11 /alicloud/trail.tf alicloud_oss_bucket.trail Ensure OSS bucket has transfer Acceleration enabled
18 CKV_ALI_6 /alicloud/trail.tf alicloud_oss_bucket.trail Ensure OSS bucket is encrypted with Customer Master Key
19 CKV_AWS_157 /aws/db-app.tf aws_db_instance.default Ensure that RDS instances have Multi-AZ enabled https://docs.bridgecrew.io/docs/general_73
20 CKV_AWS_161 /aws/db-app.tf aws_db_instance.default Ensure RDS database has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-database-has-iam-authentication-enabled
21 CKV_AWS_16 /aws/db-app.tf aws_db_instance.default Ensure all data stored in the RDS is securely encrypted at rest https://docs.bridgecrew.io/docs/general_4
22 CKV_AWS_226 /aws/db-app.tf aws_db_instance.default Ensure DB instance gets all minor upgrades automatically
23 CKV_AWS_17 /aws/db-app.tf aws_db_instance.default Ensure all data stored in RDS is not publicly accessible https://docs.bridgecrew.io/docs/public_2
24 CKV_AWS_118 /aws/db-app.tf aws_db_instance.default Ensure that enhanced monitoring is enabled for Amazon RDS instances https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances
25 CKV_AWS_129 /aws/db-app.tf aws_db_instance.default Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled https://docs.bridgecrew.io/docs/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled
26 CKV_AWS_133 /aws/db-app.tf aws_db_instance.default Ensure that RDS instances has backup policy https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy
27 CKV_AWS_23 /aws/db-app.tf aws_security_group.default Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
28 CKV_AWS_23 /aws/db-app.tf aws_security_group_rule.ingress Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
29 CKV_AWS_23 /aws/db-app.tf aws_security_group_rule.egress Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
30 CKV_AWS_79 /aws/db-app.tf aws_instance.db_app Ensure Instance Metadata Service Version 1 is not enabled https://docs.bridgecrew.io/docs/bc_aws_general_31
31 CKV_AWS_135 /aws/db-app.tf aws_instance.db_app Ensure that EC2 is EBS optimized https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized
32 CKV_AWS_8 /aws/db-app.tf aws_instance.db_app Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted https://docs.bridgecrew.io/docs/general_13
33 CKV_AWS_126 /aws/db-app.tf aws_instance.db_app Ensure that detailed monitoring is enabled for EC2 instances https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances
34 CKV_AWS_79 /aws/ec2.tf aws_instance.web_host Ensure Instance Metadata Service Version 1 is not enabled https://docs.bridgecrew.io/docs/bc_aws_general_31
35 CKV_AWS_135 /aws/ec2.tf aws_instance.web_host Ensure that EC2 is EBS optimized https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized
36 CKV_AWS_8 /aws/ec2.tf aws_instance.web_host Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted https://docs.bridgecrew.io/docs/general_13
37 CKV_AWS_46 /aws/ec2.tf aws_instance.web_host Ensure no hard-coded secrets exist in EC2 user data https://docs.bridgecrew.io/docs/bc_aws_secrets_1
38 CKV_AWS_126 /aws/ec2.tf aws_instance.web_host Ensure that detailed monitoring is enabled for EC2 instances https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances
39 CKV_AWS_3 /aws/ec2.tf aws_ebs_volume.web_host_storage Ensure all data stored in the EBS is securely encrypted https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume
40 CKV_AWS_189 /aws/ec2.tf aws_ebs_volume.web_host_storage Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) https://docs.bridgecrew.io/docs/bc_aws_general_109
41 CKV_AWS_23 /aws/ec2.tf aws_security_group.web-node Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
42 CKV_AWS_260 /aws/ec2.tf aws_security_group.web-node Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
43 CKV_AWS_24 /aws/ec2.tf aws_security_group.web-node Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 https://docs.bridgecrew.io/docs/networking_1-port-security
44 CKV_AWS_130 /aws/ec2.tf aws_subnet.web_subnet Ensure VPC subnets do not assign public IP by default https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
45 CKV_AWS_130 /aws/ec2.tf aws_subnet.web_subnet2 Ensure VPC subnets do not assign public IP by default https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
46 CKV_AWS_136 /aws/ecr.tf aws_ecr_repository.repository Ensure that ECR repositories are encrypted using KMS https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted
47 CKV_AWS_51 /aws/ecr.tf aws_ecr_repository.repository Ensure ECR Image Tags are immutable https://docs.bridgecrew.io/docs/bc_aws_general_24
48 CKV_AWS_163 /aws/ecr.tf aws_ecr_repository.repository Ensure ECR image scanning on push is enabled https://docs.bridgecrew.io/docs/general_8
49 CKV_AWS_130 /aws/eks.tf aws_subnet.eks_subnet1 Ensure VPC subnets do not assign public IP by default https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
50 CKV_AWS_130 /aws/eks.tf aws_subnet.eks_subnet2 Ensure VPC subnets do not assign public IP by default https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
51 CKV_AWS_39 /aws/eks.tf aws_eks_cluster.eks_cluster Ensure Amazon EKS public endpoint disabled https://docs.bridgecrew.io/docs/bc_aws_kubernetes_2
52 CKV_AWS_38 /aws/eks.tf aws_eks_cluster.eks_cluster Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 https://docs.bridgecrew.io/docs/bc_aws_kubernetes_1
53 CKV_AWS_37 /aws/eks.tf aws_eks_cluster.eks_cluster Ensure Amazon EKS control plane logging enabled for all log types https://docs.bridgecrew.io/docs/bc_aws_kubernetes_4
54 CKV_AWS_58 /aws/eks.tf aws_eks_cluster.eks_cluster Ensure EKS Cluster has Secrets Encryption Enabled https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3
55 CKV_AWS_127 /aws/elb.tf aws_elb.weblb Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager https://docs.bridgecrew.io/docs/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager
56 CKV_AWS_92 /aws/elb.tf aws_elb.weblb Ensure the ELB has access logging enabled https://docs.bridgecrew.io/docs/bc_aws_logging_23
57 CKV_AWS_111 /aws/es.tf aws_iam_policy_document.policy Ensure IAM policies does not allow write access without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
58 CKV_AWS_109 /aws/es.tf aws_iam_policy_document.policy Ensure IAM policies does not allow permissions management / resource exposure without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
59 CKV_AWS_137 /aws/es.tf aws_elasticsearch_domain.monitoring-framework Ensure that Elasticsearch is configured inside a VPC https://docs.bridgecrew.io/docs/ensure-that-elasticsearch-is-configured-inside-a-vpc
60 CKV_AWS_247 /aws/es.tf aws_elasticsearch_domain.monitoring-framework Ensure all data stored in the Elasticsearch is encrypted with a CMK
61 CKV_AWS_248 /aws/es.tf aws_elasticsearch_domain.monitoring-framework Ensure that Elasticsearch is not using the default Security Group
62 CKV_AWS_228 /aws/es.tf aws_elasticsearch_domain.monitoring-framework Verify Elasticsearch domain is using an up to date TLS policy
63 CKV_AWS_84 /aws/es.tf aws_elasticsearch_domain.monitoring-framework Ensure Elasticsearch Domain Logging is enabled https://docs.bridgecrew.io/docs/elasticsearch_7
64 CKV_AWS_5 /aws/es.tf aws_elasticsearch_domain.monitoring-framework Ensure all data stored in the Elasticsearch is securely encrypted at rest https://docs.bridgecrew.io/docs/elasticsearch_3-enable-encryptionatrest
65 CKV_AWS_7 /aws/kms.tf aws_kms_key.logs_key Ensure rotation for customer created CMKs is enabled https://docs.bridgecrew.io/docs/logging_8
66 CKV_AWS_115 /aws/lambda.tf aws_lambda_function.analysis_lambda Ensure that AWS Lambda function is configured for function-level concurrent execution limit https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
67 CKV_AWS_45 /aws/lambda.tf aws_lambda_function.analysis_lambda Ensure no hard-coded secrets exist in lambda environment https://docs.bridgecrew.io/docs/bc_aws_secrets_3
68 CKV_AWS_50 /aws/lambda.tf aws_lambda_function.analysis_lambda X-ray tracing is enabled for Lambda https://docs.bridgecrew.io/docs/bc_aws_serverless_4
69 CKV_AWS_117 /aws/lambda.tf aws_lambda_function.analysis_lambda Ensure that AWS Lambda function is configured inside a VPC https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
70 CKV_AWS_173 /aws/lambda.tf aws_lambda_function.analysis_lambda Check encryption settings for Lambda environmental variable https://docs.bridgecrew.io/docs/bc_aws_serverless_5
71 CKV_AWS_116 /aws/lambda.tf aws_lambda_function.analysis_lambda Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
72 CKV_AWS_44 /aws/neptune.tf aws_neptune_cluster.default Ensure Neptune storage is securely encrypted https://docs.bridgecrew.io/docs/general_18
73 CKV_AWS_101 /aws/neptune.tf aws_neptune_cluster.default Ensure Neptune logging is enabled https://docs.bridgecrew.io/docs/bc_aws_logging_24
74 CKV_AWS_41 /aws/providers.tf aws.plain_text_access_keys_provider Ensure no hard coded AWS access key and secret key exists in provider https://docs.bridgecrew.io/docs/bc_aws_secrets_5
75 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app1-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
76 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app1-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
77 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app1-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
78 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app1-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
79 CKV_AWS_133 /aws/rds.tf aws_rds_cluster.app1-rds-cluster Ensure that RDS instances has backup policy https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy
80 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app2-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
81 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app2-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
82 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app2-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
83 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app2-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
84 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app3-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
85 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app3-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
86 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app3-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
87 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app3-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
88 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app4-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
89 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app4-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
90 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app4-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
91 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app4-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
92 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app5-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
93 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app5-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
94 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app5-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
95 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app5-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
96 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app6-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
97 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app6-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
98 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app6-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
99 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app6-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
100 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app7-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
101 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app7-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
102 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app7-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
103 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app7-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
104 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app8-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
105 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app8-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
106 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app8-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
107 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app8-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
108 CKV_AWS_128 /aws/rds.tf aws_rds_cluster.app9-rds-cluster Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
109 CKV_AWS_139 /aws/rds.tf aws_rds_cluster.app9-rds-cluster Ensure that RDS clusters have deletion protection enabled https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
110 CKV_AWS_96 /aws/rds.tf aws_rds_cluster.app9-rds-cluster Ensure all data stored in Aurora is securely encrypted at rest https://docs.bridgecrew.io/docs/bc_aws_general_38
111 CKV_AWS_162 /aws/rds.tf aws_rds_cluster.app9-rds-cluster Ensure RDS cluster has IAM authentication enabled https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
112 CKV_AWS_186 /aws/s3.tf aws_s3_bucket_object.data_object Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) https://docs.bridgecrew.io/docs/bc_aws_general_106
113 CKV_AZURE_116 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure that AKS uses Azure Policies Add-on https://docs.bridgecrew.io/docs/ensure-that-aks-uses-azure-policies-add-on
114 CKV_AZURE_8 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure Kubernetes Dashboard is disabled https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5
115 CKV_AZURE_4 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure AKS logging to Azure Monitoring is Configured https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1
116 CKV_AZURE_117 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure that AKS uses disk encryption set https://docs.bridgecrew.io/docs/ensure-that-aks-uses-disk-encryption-set
117 CKV_AZURE_115 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure that AKS enables private clusters https://docs.bridgecrew.io/docs/ensure-that-aks-enables-private-clusters
118 CKV_AZURE_141 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure AKS local admin account is disabled
119 CKV_AZURE_7 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure AKS cluster has Network Policy configured https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4
120 CKV_AZURE_6 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure AKS has an API Server Authorized IP Ranges enabled https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3
121 CKV_AZURE_5 /azure/aks.tf azurerm_kubernetes_cluster.k8s_cluster Ensure RBAC is enabled on AKS clusters https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2
122 CKV_AZURE_15 /azure/app_service.tf azurerm_app_service.app-service1 Ensure web app is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/bc_azr_networking_6
123 CKV_AZURE_78 /azure/app_service.tf azurerm_app_service.app-service1 Ensure FTP deployments are disabled https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled
124 CKV_AZURE_18 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that 'HTTP Version' is the latest if used to run the web app https://docs.bridgecrew.io/docs/bc_azr_networking_8
125 CKV_AZURE_88 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that app services use Azure Files https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files
126 CKV_AZURE_13 /azure/app_service.tf azurerm_app_service.app-service1 Ensure App Service Authentication is set on Azure App Service https://docs.bridgecrew.io/docs/bc_azr_general_2
127 CKV_AZURE_71 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that Managed identity provider is enabled for app services https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services
128 CKV_AZURE_80 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that 'Net Framework' version is the latest, if used as a part of the web app https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app
129 CKV_AZURE_65 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that App service enables detailed error messages https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages
130 CKV_AZURE_63 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that App service enables HTTP logging https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging
131 CKV_AZURE_17 /azure/app_service.tf azurerm_app_service.app-service1 Ensure the web app has 'Client Certificates (Incoming client certificates)' set https://docs.bridgecrew.io/docs/bc_azr_networking_7
132 CKV_AZURE_16 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that Register with Azure Active Directory is enabled on App Service https://docs.bridgecrew.io/docs/bc_azr_iam_1
133 CKV_AZURE_66 /azure/app_service.tf azurerm_app_service.app-service1 Ensure that App service enables failed request tracing https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing
134 CKV_AZURE_14 /azure/app_service.tf azurerm_app_service.app-service1 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service https://docs.bridgecrew.io/docs/bc_azr_networking_5
135 CKV_AZURE_78 /azure/app_service.tf azurerm_app_service.app-service2 Ensure FTP deployments are disabled https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled
136 CKV_AZURE_18 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that 'HTTP Version' is the latest if used to run the web app https://docs.bridgecrew.io/docs/bc_azr_networking_8
137 CKV_AZURE_88 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that app services use Azure Files https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files
138 CKV_AZURE_13 /azure/app_service.tf azurerm_app_service.app-service2 Ensure App Service Authentication is set on Azure App Service https://docs.bridgecrew.io/docs/bc_azr_general_2
139 CKV_AZURE_71 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that Managed identity provider is enabled for app services https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services
140 CKV_AZURE_80 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that 'Net Framework' version is the latest, if used as a part of the web app https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app
141 CKV_AZURE_65 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that App service enables detailed error messages https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages
142 CKV_AZURE_63 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that App service enables HTTP logging https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging
143 CKV_AZURE_17 /azure/app_service.tf azurerm_app_service.app-service2 Ensure the web app has 'Client Certificates (Incoming client certificates)' set https://docs.bridgecrew.io/docs/bc_azr_networking_7
144 CKV_AZURE_16 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that Register with Azure Active Directory is enabled on App Service https://docs.bridgecrew.io/docs/bc_azr_iam_1
145 CKV_AZURE_66 /azure/app_service.tf azurerm_app_service.app-service2 Ensure that App service enables failed request tracing https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing
146 CKV_AZURE_1 /azure/instance.tf azurerm_linux_virtual_machine.linux_machine Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) https://docs.bridgecrew.io/docs/bc_azr_networking_1
147 CKV_AZURE_50 /azure/instance.tf azurerm_linux_virtual_machine.linux_machine Ensure Virtual Machine Extensions are not Installed https://docs.bridgecrew.io/docs/bc_azr_general_14
148 CKV_AZURE_149 /azure/instance.tf azurerm_linux_virtual_machine.linux_machine Ensure that Virtual machine does not enable password authentication
149 CKV_AZURE_151 /azure/instance.tf azurerm_windows_virtual_machine.windows_machine Ensure Windows VM enables encryption
150 CKV_AZURE_50 /azure/instance.tf azurerm_windows_virtual_machine.windows_machine Ensure Virtual Machine Extensions are not Installed https://docs.bridgecrew.io/docs/bc_azr_general_14
151 CKV_AZURE_109 /azure/key_vault.tf azurerm_key_vault.example Ensure that key vault allows firewall rules settings https://docs.bridgecrew.io/docs/ensure-that-key-vault-allows-firewall-rules-settings
152 CKV_AZURE_42 /azure/key_vault.tf azurerm_key_vault.example Ensure the key vault is recoverable https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable
153 CKV_AZURE_110 /azure/key_vault.tf azurerm_key_vault.example Ensure that key vault enables purge protection https://docs.bridgecrew.io/docs/ensure-that-key-vault-enables-purge-protection
154 CKV_AZURE_112 /azure/key_vault.tf azurerm_key_vault_key.generated Ensure that key vault key is backed by HSM https://docs.bridgecrew.io/docs/ensure-that-key-vault-key-is-backed-by-hsm
155 CKV_AZURE_40 /azure/key_vault.tf azurerm_key_vault_key.generated Ensure that the expiration date is set on all keys https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-keys
156 CKV_AZURE_114 /azure/key_vault.tf azurerm_key_vault_secret.secret Ensure that key vault secrets have "content_type" set https://docs.bridgecrew.io/docs/ensure-that-key-vault-secrets-have-content_type-set
157 CKV_AZURE_41 /azure/key_vault.tf azurerm_key_vault_secret.secret Ensure that the expiration date is set on all secrets https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets
158 CKV_AZURE_38 /azure/logging.tf azurerm_monitor_log_profile.logging_profile Ensure audit profile captures all the activities https://docs.bridgecrew.io/docs/ensure-audit-profile-captures-all-activities
159 CKV_AZURE_37 /azure/logging.tf azurerm_monitor_log_profile.logging_profile Ensure that Activity Log Retention is set 365 days or greater https://docs.bridgecrew.io/docs/set-activity-log-retention-to-365-days-or-greater
160 CKV_AZURE_35 /azure/mssql.tf azurerm_storage_account.security_storage_account Ensure default network access rule for Storage Accounts is set to deny https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny
161 CKV_AZURE_33 /azure/mssql.tf azurerm_storage_account.security_storage_account Ensure Storage logging is enabled for Queue service for read, write and delete requests https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service
162 CKV_AZURE_44 /azure/mssql.tf azurerm_storage_account.security_storage_account Ensure Storage Account is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/bc_azr_storage_2
163 CKV_AZURE_52 /azure/mssql.tf azurerm_mssql_server.mssql1 Ensure MSSQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
164 CKV_AZURE_113 /azure/mssql.tf azurerm_mssql_server.mssql1 Ensure that SQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
165 CKV_AZURE_52 /azure/mssql.tf azurerm_mssql_server.mssql2 Ensure MSSQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
166 CKV_AZURE_113 /azure/mssql.tf azurerm_mssql_server.mssql2 Ensure that SQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
167 CKV_AZURE_52 /azure/mssql.tf azurerm_mssql_server.mssql3 Ensure MSSQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
168 CKV_AZURE_113 /azure/mssql.tf azurerm_mssql_server.mssql3 Ensure that SQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
169 CKV_AZURE_52 /azure/mssql.tf azurerm_mssql_server.mssql4 Ensure MSSQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
170 CKV_AZURE_113 /azure/mssql.tf azurerm_mssql_server.mssql4 Ensure that SQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
171 CKV_AZURE_52 /azure/mssql.tf azurerm_mssql_server.mssql5 Ensure MSSQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
172 CKV_AZURE_113 /azure/mssql.tf azurerm_mssql_server.mssql5 Ensure that SQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
173 CKV_AZURE_52 /azure/mssql.tf azurerm_mssql_server.mssql6 Ensure MSSQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
174 CKV_AZURE_113 /azure/mssql.tf azurerm_mssql_server.mssql6 Ensure that SQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
175 CKV_AZURE_52 /azure/mssql.tf azurerm_mssql_server.mssql7 Ensure MSSQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
176 CKV_AZURE_113 /azure/mssql.tf azurerm_mssql_server.mssql7 Ensure that SQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
177 CKV_AZURE_25 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy1 Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
178 CKV_AZURE_27 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy1 Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
179 CKV_AZURE_25 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy2 Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
180 CKV_AZURE_27 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy2 Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
181 CKV_AZURE_25 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy3 Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
182 CKV_AZURE_27 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy3 Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
183 CKV_AZURE_25 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy4 Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
184 CKV_AZURE_27 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy4 Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
185 CKV_AZURE_25 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy5 Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
186 CKV_AZURE_26 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy5 Ensure that 'Send Alerts To' is enabled for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_7
187 CKV_AZURE_27 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy5 Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
188 CKV_AZURE_25 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy6 Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
189 CKV_AZURE_27 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy6 Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
190 CKV_AZURE_25 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy7 Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
191 CKV_AZURE_27 /azure/mssql.tf azurerm_mssql_server_security_alert_policy.alertpolicy7 Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
192 CKV_AZURE_10 /azure/networking.tf azurerm_network_security_group.bad_sg Ensure that SSH access is restricted from the internet https://docs.bridgecrew.io/docs/bc_azr_networking_3
193 CKV_AZURE_9 /azure/networking.tf azurerm_network_security_group.bad_sg Ensure that RDP access is restricted from the internet https://docs.bridgecrew.io/docs/bc_azr_networking_2
194 CKV_AZURE_12 /azure/networking.tf azurerm_network_watcher_flow_log.flow_log Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' https://docs.bridgecrew.io/docs/bc_azr_logging_1
195 CKV_AZURE_39 /azure/roles.tf azurerm_role_definition.example Ensure that no custom subscription owner roles are created https://docs.bridgecrew.io/docs/do-not-create-custom-subscription-owner-roles
196 CKV_AZURE_19 /azure/security_center.tf azurerm_security_center_subscription_pricing.pricing Ensure that standard pricing tier is selected https://docs.bridgecrew.io/docs/ensure-standard-pricing-tier-is-selected
197 CKV_AZURE_20 /azure/security_center.tf azurerm_security_center_contact.contact Ensure that security contact 'Phone number' is set https://docs.bridgecrew.io/docs/bc_azr_general_3
198 CKV_AZURE_22 /azure/security_center.tf azurerm_security_center_contact.contact Ensure that 'Send email notification for high severity alerts' is set to 'On' https://docs.bridgecrew.io/docs/bc_azr_general_5
199 CKV_AZURE_21 /azure/security_center.tf azurerm_security_center_contact.contact Ensure that 'Send email notification for high severity alerts' is set to 'On' https://docs.bridgecrew.io/docs/bc_azr_general_4
200 CKV_AZURE_25 /azure/sql.tf azurerm_mssql_server_security_alert_policy.example Ensure that 'Threat Detection types' is set to 'All' https://docs.bridgecrew.io/docs/bc_azr_general_6
201 CKV_AZURE_26 /azure/sql.tf azurerm_mssql_server_security_alert_policy.example Ensure that 'Send Alerts To' is enabled for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_7
202 CKV_AZURE_27 /azure/sql.tf azurerm_mssql_server_security_alert_policy.example Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers https://docs.bridgecrew.io/docs/bc_azr_general_8
203 CKV_AZURE_127 /azure/sql.tf azurerm_mysql_server.example Ensure that My SQL server enables Threat detection policy https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-threat-detection-policy
204 CKV_AZURE_94 /azure/sql.tf azurerm_mysql_server.example Ensure that My SQL server enables geo-redundant backups https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-geo-redundant-backups
205 CKV_AZURE_53 /azure/sql.tf azurerm_mysql_server.example Ensure 'public network access enabled' is set to 'False' for mySQL servers https://docs.bridgecrew.io/docs/ensure-public-network-access-enabled-is-set-to-false-for-mysql-servers
206 CKV_AZURE_54 /azure/sql.tf azurerm_mysql_server.example Ensure MySQL is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/ensure-mysql-is-using-the-latest-version-of-tls-encryption
207 CKV_AZURE_28 /azure/sql.tf azurerm_mysql_server.example Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server https://docs.bridgecrew.io/docs/bc_azr_networking_9
208 CKV_AZURE_147 /azure/sql.tf azurerm_postgresql_server.example Ensure PostgreSQL is using the latest version of TLS encryption
209 CKV_AZURE_130 /azure/sql.tf azurerm_postgresql_server.example Ensure that PostgreSQL server enables infrastructure encryption https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-infrastructure-encryption
210 CKV_AZURE_29 /azure/sql.tf azurerm_postgresql_server.example Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server https://docs.bridgecrew.io/docs/bc_azr_networking_10
211 CKV_AZURE_128 /azure/sql.tf azurerm_postgresql_server.example Ensure that PostgreSQL server enables Threat detection policy https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-threat-detection-policy
212 CKV_AZURE_102 /azure/sql.tf azurerm_postgresql_server.example Ensure that PostgreSQL server enables geo-redundant backups https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-geo-redundant-backups
213 CKV_AZURE_68 /azure/sql.tf azurerm_postgresql_server.example Ensure that PostgreSQL server disables public network access https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-disables-public-network-access
214 CKV_AZURE_32 /azure/sql.tf azurerm_postgresql_configuration.thrtottling_config Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server https://docs.bridgecrew.io/docs/bc_azr_networking_13
215 CKV_AZURE_30 /azure/sql.tf azurerm_postgresql_configuration.example Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server https://docs.bridgecrew.io/docs/bc_azr_networking_11
216 CKV_AZURE_2 /azure/storage.tf azurerm_managed_disk.example Ensure Azure managed disk has encryption enabled https://docs.bridgecrew.io/docs/bc_azr_general_1
217 CKV_AZURE_93 /azure/storage.tf azurerm_managed_disk.example Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption https://docs.bridgecrew.io/docs/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption
218 CKV_AZURE_35 /azure/storage.tf azurerm_storage_account.example Ensure default network access rule for Storage Accounts is set to deny https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny
219 CKV_AZURE_3 /azure/storage.tf azurerm_storage_account.example Ensure that 'Secure transfer required' is set to 'Enabled'
220 CKV_AZURE_33 /azure/storage.tf azurerm_storage_account.example Ensure Storage logging is enabled for Queue service for read, write and delete requests https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service
221 CKV_AZURE_44 /azure/storage.tf azurerm_storage_account.example Ensure Storage Account is using the latest version of TLS encryption https://docs.bridgecrew.io/docs/bc_azr_storage_2
222 CKV_AZURE_36 /azure/storage.tf azurerm_storage_account_network_rules.test Ensure 'Trusted Microsoft Services' is enabled for Storage Account access https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
223 CKV_GCP_6 /gcp/big_data.tf google_sql_database_instance.master_instance Ensure all Cloud SQL database instance requires all incoming connections to use SSL https://docs.bridgecrew.io/docs/bc_gcp_general_1
224 CKV_GCP_11 /gcp/big_data.tf google_sql_database_instance.master_instance Ensure that Cloud SQL database Instances are not open to the world https://docs.bridgecrew.io/docs/bc_gcp_networking_4
225 CKV_GCP_79 /gcp/big_data.tf google_sql_database_instance.master_instance Ensure SQL database is using latest Major version
226 CKV_GCP_60 /gcp/big_data.tf google_sql_database_instance.master_instance Ensure Cloud SQL database does not have public IP https://docs.bridgecrew.io/docs/bc_gcp_sql_11
227 CKV_GCP_14 /gcp/big_data.tf google_sql_database_instance.master_instance Ensure all Cloud SQL database instance have backup configuration enabled https://docs.bridgecrew.io/docs/bc_gcp_general_2
228 CKV_GCP_15 /gcp/big_data.tf google_bigquery_dataset.dataset Ensure that BigQuery datasets are not anonymously or publicly accessible https://docs.bridgecrew.io/docs/bc_gcp_general_3
229 CKV_GCP_81 /gcp/big_data.tf google_bigquery_dataset.dataset Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
230 CKV_GCP_62 /gcp/gcs.tf google_storage_bucket.terragoat_website Bucket should log access https://docs.bridgecrew.io/docs/bc_gcp_logging_2
231 CKV_GCP_78 /gcp/gcs.tf google_storage_bucket.terragoat_website Ensure Cloud storage has versioning enabled
232 CKV_GCP_29 /gcp/gcs.tf google_storage_bucket.terragoat_website Ensure that Cloud Storage buckets have uniform bucket-level access enabled https://docs.bridgecrew.io/docs/bc_gcp_gcs_2
233 CKV_GCP_28 /gcp/gcs.tf google_storage_bucket_iam_binding.allow_public_read Ensure that Cloud Storage bucket is not anonymously or publicly accessible https://docs.bridgecrew.io/docs/bc_gcp_public_1
234 CKV_GCP_70 /gcp/gke.tf google_container_cluster.workload_cluster Ensure the GKE Release Channel is set https://docs.bridgecrew.io/docs/ensure-the-gke-release-channel-is-set
235 CKV_GCP_69 /gcp/gke.tf google_container_cluster.workload_cluster Ensure the GKE Metadata Server is Enabled https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled
236 CKV_GCP_67 /gcp/gke.tf google_container_cluster.workload_cluster Ensure legacy Compute Engine instance metadata APIs are Disabled https://docs.bridgecrew.io/docs/ensure-legacy-compute-engine-instance-metadata-apis-are-disabled
237 CKV_GCP_19 /gcp/gke.tf google_container_cluster.workload_cluster Ensure GKE basic auth is disabled https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_11
238 CKV_GCP_21 /gcp/gke.tf google_container_cluster.workload_cluster Ensure Kubernetes Clusters are configured with Labels https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_13
239 CKV_GCP_66 /gcp/gke.tf google_container_cluster.workload_cluster Ensure use of Binary Authorization https://docs.bridgecrew.io/docs/ensure-use-of-binary-authorization
240 CKV_GCP_61 /gcp/gke.tf google_container_cluster.workload_cluster Enable VPC Flow Logs and Intranode Visibility https://docs.bridgecrew.io/docs/enable-vpc-flow-logs-and-intranode-visibility
241 CKV_GCP_25 /gcp/gke.tf google_container_cluster.workload_cluster Ensure Kubernetes Cluster is created with Private cluster enabled https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_6
242 CKV_GCP_1 /gcp/gke.tf google_container_cluster.workload_cluster Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_1
243 CKV_GCP_18 /gcp/gke.tf google_container_cluster.workload_cluster Ensure GKE Control Plane is not public https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_10
244 CKV_GCP_64 /gcp/gke.tf google_container_cluster.workload_cluster Ensure clusters are created with Private Nodes https://docs.bridgecrew.io/docs/ensure-clusters-are-created-with-private-nodes
245 CKV_GCP_13 /gcp/gke.tf google_container_cluster.workload_cluster Ensure client certificate authentication to Kubernetes Engine Clusters is disabled https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_8
246 CKV_GCP_12 /gcp/gke.tf google_container_cluster.workload_cluster Ensure Network Policy is enabled on Kubernetes Engine Clusters https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_7
247 CKV_GCP_65 /gcp/gke.tf google_container_cluster.workload_cluster Manage Kubernetes RBAC users with Google Groups for GKE https://docs.bridgecrew.io/docs/manage-kubernetes-rbac-users-with-google-groups-for-gke
248 CKV_GCP_24 /gcp/gke.tf google_container_cluster.workload_cluster Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_9
249 CKV_GCP_7 /gcp/gke.tf google_container_cluster.workload_cluster Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_2
250 CKV_GCP_23 /gcp/gke.tf google_container_cluster.workload_cluster Ensure Kubernetes Cluster is created with Alias IP ranges enabled https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_15
251 CKV_GCP_8 /gcp/gke.tf google_container_cluster.workload_cluster Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_3
252 CKV_GCP_68 /gcp/gke.tf google_container_node_pool.custom_node_pool Ensure Secure Boot for Shielded GKE Nodes is Enabled https://docs.bridgecrew.io/docs/ensure-secure-boot-for-shielded-gke-nodes-is-enabled
253 CKV_GCP_22 /gcp/gke.tf google_container_node_pool.custom_node_pool Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_14
254 CKV_GCP_69 /gcp/gke.tf google_container_node_pool.custom_node_pool Ensure the GKE Metadata Server is Enabled https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled
255 CKV_GCP_9 /gcp/gke.tf google_container_node_pool.custom_node_pool Ensure 'Automatic node repair' is enabled for Kubernetes Clusters https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_4
256 CKV_GCP_10 /gcp/gke.tf google_container_node_pool.custom_node_pool Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_5
257 CKV_GCP_38 /gcp/instances.tf google_compute_instance.server Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) https://docs.bridgecrew.io/docs/encrypt-boot-disks-for-instances-with-cseks
258 CKV_GCP_35 /gcp/instances.tf google_compute_instance.server Ensure 'Enable connecting to serial ports' is not enabled for VM Instance https://docs.bridgecrew.io/docs/bc_gcp_networking_11
259 CKV_GCP_40 /gcp/instances.tf google_compute_instance.server Ensure that Compute instances do not have public IP addresses https://docs.bridgecrew.io/docs/bc_gcp_public_2
260 CKV_GCP_34 /gcp/instances.tf google_compute_instance.server Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) https://docs.bridgecrew.io/docs/bc_gcp_networking_10
261 CKV_GCP_30 /gcp/instances.tf google_compute_instance.server Ensure that instances are not configured to use the default service account https://docs.bridgecrew.io/docs/bc_gcp_iam_1
262 CKV_GCP_36 /gcp/instances.tf google_compute_instance.server Ensure that IP forwarding is not enabled on Instances https://docs.bridgecrew.io/docs/bc_gcp_networking_12
263 CKV_GCP_32 /gcp/instances.tf google_compute_instance.server Ensure 'Block Project-wide SSH keys' is enabled for VM instances https://docs.bridgecrew.io/docs/bc_gcp_networking_8
264 CKV_GCP_39 /gcp/instances.tf google_compute_instance.server Ensure Compute instances are launched with Shielded VM enabled https://docs.bridgecrew.io/docs/bc_gcp_general_y
265 CKV_GCP_37 /gcp/instances.tf google_compute_disk.unencrypted_disk Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) https://docs.bridgecrew.io/docs/bc_gcp_general_x
266 CKV_GCP_74 /gcp/networks.tf google_compute_subnetwork.public-subnetwork Ensure that private_ip_google_access is enabled for Subnet
267 CKV_GCP_26 /gcp/networks.tf google_compute_subnetwork.public-subnetwork Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network https://docs.bridgecrew.io/docs/bc_gcp_logging_1
268 CKV_GCP_76 /gcp/networks.tf google_compute_subnetwork.public-subnetwork Ensure that Private google access is enabled for IPV6
269 CKV_GCP_88 /gcp/networks.tf google_compute_firewall.allow_all Ensure Google compute firewall ingress does not allow unrestricted mysql access
270 CKV_GCP_106 /gcp/networks.tf google_compute_firewall.allow_all Ensure Google compute firewall ingress does not allow unrestricted http port 80 access
271 CKV_GCP_77 /gcp/networks.tf google_compute_firewall.allow_all Ensure Google compute firewall ingress does not allow on ftp port
272 CKV_GCP_3 /gcp/networks.tf google_compute_firewall.allow_all Ensure Google compute firewall ingress does not allow unrestricted rdp access https://docs.bridgecrew.io/docs/bc_gcp_networking_2
273 CKV_GCP_75 /gcp/networks.tf google_compute_firewall.allow_all Ensure Google compute firewall ingress does not allow unrestricted FTP access
274 CKV_GCP_2 /gcp/networks.tf google_compute_firewall.allow_all Ensure Google compute firewall ingress does not allow unrestricted ssh access https://docs.bridgecrew.io/docs/bc_gcp_networking_1
275 CKV_OCI_9 /oracle/bucket.tf oci_objectstorage_bucket.secretsquirrel Ensure OCI Object Storage is encrypted with Customer Managed Key https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-encrypted-with-customer-managed-key
276 CKV_OCI_8 /oracle/bucket.tf oci_objectstorage_bucket.secretsquirrel Ensure OCI Object Storage has versioning enabled https://docs.bridgecrew.io/docs/ensure-oci-object-storage-has-versioning-enabled
277 CKV_OCI_7 /oracle/bucket.tf oci_objectstorage_bucket.secretsquirrel Ensure OCI Object Storage bucket can emit object events https://docs.bridgecrew.io/docs/ensure-oci-object-storage-bucket-can-emit-object-events
278 CKV_OCI_10 /oracle/bucket.tf oci_objectstorage_bucket.secretsquirrel Ensure OCI Object Storage is not Public https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-not-public
279 CKV2_AWS_12 /aws/eks.tf aws_vpc.eks_vpc Ensure the default security group of every VPC restricts all traffic https://docs.bridgecrew.io/docs/networking_4
280 CKV2_AWS_12 /aws/ec2.tf aws_vpc.web_vpc Ensure the default security group of every VPC restricts all traffic https://docs.bridgecrew.io/docs/networking_4
281 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app8-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
282 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app4-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
283 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app7-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
284 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app1-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
285 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app3-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
286 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app9-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
287 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app5-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
288 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app6-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
289 CKV2_AWS_8 /aws/rds.tf aws_rds_cluster.app2-rds-cluster Ensure that RDS clusters has backup plan of AWS Backup https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
290 CKV_AWS_145 /aws/s3.tf aws_s3_bucket.financials Ensure that S3 buckets are encrypted with KMS by default https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
291 CKV_AWS_145 /aws/s3.tf aws_s3_bucket.data_science Ensure that S3 buckets are encrypted with KMS by default https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
292 CKV_AWS_145 /aws/s3.tf aws_s3_bucket.data Ensure that S3 buckets are encrypted with KMS by default https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 CKV_AWS_145 /aws/ec2.tf aws_s3_bucket.flowbucket Ensure that S3 buckets are encrypted with KMS by default https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
294 CKV_AWS_145 /aws/s3.tf aws_s3_bucket.operations Ensure that S3 buckets are encrypted with KMS by default https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
295 CKV_AWS_18 /aws/s3.tf aws_s3_bucket.financials Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
296 CKV_AWS_18 /aws/s3.tf aws_s3_bucket.data Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
297 CKV_AWS_18 /aws/ec2.tf aws_s3_bucket.flowbucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
298 CKV_AWS_18 /aws/s3.tf aws_s3_bucket.operations Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
299 CKV_AWS_18 /aws/s3.tf aws_s3_bucket.logs Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
300 CKV2_AWS_11 /aws/eks.tf aws_vpc.eks_vpc Ensure VPC flow logging is enabled in all VPCs https://docs.bridgecrew.io/docs/logging_9-enable-vpc-flow-logging
301 CKV2_AWS_2 /aws/ec2.tf aws_ebs_volume.web_host_storage Ensure that only encrypted EBS volumes are attached to EC2 instances https://docs.bridgecrew.io/docs/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances
302 CKV2_AWS_6 /aws/s3.tf aws_s3_bucket.financials Ensure that S3 bucket has a Public Access block https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
303 CKV2_AWS_6 /aws/s3.tf aws_s3_bucket.data_science Ensure that S3 bucket has a Public Access block https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
304 CKV2_AWS_6 /aws/s3.tf aws_s3_bucket.data Ensure that S3 bucket has a Public Access block https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
305 CKV2_AWS_6 /aws/ec2.tf aws_s3_bucket.flowbucket Ensure that S3 bucket has a Public Access block https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
306 CKV2_AWS_6 /aws/s3.tf aws_s3_bucket.operations Ensure that S3 bucket has a Public Access block https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
307 CKV2_AWS_6 /aws/s3.tf aws_s3_bucket.logs Ensure that S3 bucket has a Public Access block https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
308 CKV_AWS_21 /aws/s3.tf aws_s3_bucket.financials Ensure all data stored in the S3 bucket have versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
309 CKV_AWS_21 /aws/s3.tf aws_s3_bucket.data Ensure all data stored in the S3 bucket have versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
310 CKV_AWS_21 /aws/ec2.tf aws_s3_bucket.flowbucket Ensure all data stored in the S3 bucket have versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
311 CKV2_AZURE_7 /azure/sql.tf azurerm_sql_server.example Ensure that Azure Active Directory Admin is configured https://docs.bridgecrew.io/docs/ensure-that-azure-active-directory-admin-is-configured
312 CKV2_AZURE_1 /azure/storage.tf azurerm_storage_account.example Ensure storage for critical data are encrypted with Customer Managed Key https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key
313 CKV2_AZURE_1 /azure/mssql.tf azurerm_storage_account.security_storage_account Ensure storage for critical data are encrypted with Customer Managed Key https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key
314 CKV2_AZURE_16 /azure/sql.tf azurerm_mysql_server.example Ensure that MySQL server enables customer-managed key for encryption https://docs.bridgecrew.io/docs/ensure-that-mysql-server-enables-customer-managed-key-for-encryption
315 CKV_AZURE_120 /azure/application_gateway.tf azurerm_application_gateway.network Ensure that Application Gateway enables WAF https://docs.bridgecrew.io/docs/ensure-that-application-gateway-enables-waf
316 CKV_AWS_144 /aws/s3.tf aws_s3_bucket.financials Ensure that S3 bucket has cross-region replication enabled https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
317 CKV_AWS_144 /aws/s3.tf aws_s3_bucket.data_science Ensure that S3 bucket has cross-region replication enabled https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
318 CKV_AWS_144 /aws/s3.tf aws_s3_bucket.data Ensure that S3 bucket has cross-region replication enabled https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
319 CKV_AWS_144 /aws/ec2.tf aws_s3_bucket.flowbucket Ensure that S3 bucket has cross-region replication enabled https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
320 CKV_AWS_144 /aws/s3.tf aws_s3_bucket.operations Ensure that S3 bucket has cross-region replication enabled https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
321 CKV_AWS_144 /aws/s3.tf aws_s3_bucket.logs Ensure that S3 bucket has cross-region replication enabled https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
322 CKV2_AZURE_18 /azure/storage.tf azurerm_storage_account.example Ensure that Storage Accounts use customer-managed key for encryption https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption
323 CKV2_AZURE_18 /azure/mssql.tf azurerm_storage_account.security_storage_account Ensure that Storage Accounts use customer-managed key for encryption https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption
324 CKV_AWS_19 /aws/s3.tf aws_s3_bucket.financials Ensure all data stored in the S3 bucket is securely encrypted at rest https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
325 CKV_AWS_19 /aws/s3.tf aws_s3_bucket.data_science Ensure all data stored in the S3 bucket is securely encrypted at rest https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
326 CKV_AWS_19 /aws/s3.tf aws_s3_bucket.data Ensure all data stored in the S3 bucket is securely encrypted at rest https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
327 CKV_AWS_19 /aws/ec2.tf aws_s3_bucket.flowbucket Ensure all data stored in the S3 bucket is securely encrypted at rest https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
328 CKV_AWS_19 /aws/s3.tf aws_s3_bucket.operations Ensure all data stored in the S3 bucket is securely encrypted at rest https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
329 CKV_AZURE_24 /azure/sql.tf azurerm_sql_server.example Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
330 CKV_AZURE_24 /azure/mssql.tf azurerm_mssql_server.mssql5 Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
331 CKV_AZURE_24 /azure/mssql.tf azurerm_mssql_server.mssql1 Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
332 CKV_AZURE_24 /azure/mssql.tf azurerm_mssql_server.mssql6 Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
333 CKV_AZURE_24 /azure/mssql.tf azurerm_mssql_server.mssql2 Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
334 CKV_AZURE_24 /azure/mssql.tf azurerm_mssql_server.mssql4 Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
335 CKV_AZURE_24 /azure/mssql.tf azurerm_mssql_server.mssql7 Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
336 CKV_AZURE_24 /azure/mssql.tf azurerm_mssql_server.mssql3 Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_3
337 CKV_AZURE_23 /azure/sql.tf azurerm_sql_server.example Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2
338 CKV_AZURE_23 /azure/mssql.tf azurerm_mssql_server.mssql5 Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2
339 CKV_AZURE_23 /azure/mssql.tf azurerm_mssql_server.mssql1 Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2
340 CKV_AZURE_23 /azure/mssql.tf azurerm_mssql_server.mssql6 Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2
341 CKV_AZURE_23 /azure/mssql.tf azurerm_mssql_server.mssql2 Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2
342 CKV_AZURE_23 /azure/mssql.tf azurerm_mssql_server.mssql4 Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2
343 CKV_AZURE_23 /azure/mssql.tf azurerm_mssql_server.mssql7 Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2
344 CKV_AZURE_23 /azure/mssql.tf azurerm_mssql_server.mssql3 Ensure that 'Auditing' is set to 'On' for SQL servers https://docs.bridgecrew.io/docs/bc_azr_logging_2

dockerfile scan results:

check_id file resource check_name guideline
0 CKV_DOCKER_3 /aws/resources/Dockerfile /aws/resources/Dockerfile. Ensure that a user for the container has been created https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
1 CKV_DOCKER_2 /aws/resources/Dockerfile /aws/resources/Dockerfile. Ensure that HEALTHCHECK instructions have been added to container images https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images

secrets scan results:

check_id file resource check_name guideline
0 CKV_SECRET_2 /aws/lambda.tf 25910f981e85ca04baf359199dd0bd4a3ae738b6 AWS Access Key https://docs.bridgecrew.io/docs/git_secrets_2
1 CKV_SECRET_6 /aws/lambda.tf d70eab08607a4d05faa2d0d6647206599e9abc65 Base64 High Entropy String https://docs.bridgecrew.io/docs/git_secrets_6
2 CKV_SECRET_2 /aws/providers.tf 25910f981e85ca04baf359199dd0bd4a3ae738b6 AWS Access Key https://docs.bridgecrew.io/docs/git_secrets_2
3 CKV_SECRET_6 /aws/providers.tf d70eab08607a4d05faa2d0d6647206599e9abc65 Base64 High Entropy String https://docs.bridgecrew.io/docs/git_secrets_6
4 CKV_SECRET_6 /azure/sql.tf a57ae0fe47084bc8a05f69f3f8083896f8b437b0 Base64 High Entropy String https://docs.bridgecrew.io/docs/git_secrets_6

About

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL 100.0%