TerraGoat - Vulnerable Terraform Infrastructure
July 26, 2022 ยท View on GitHub
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Table of Contents
Introduction
TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.
TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
Important notes
- Where to get help: the Bridgecrew Community Slack
Before you proceed please take a not of these warning:
:warning: TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.
Requirements
- Terraform 0.12
- aws cli
- azure cli
To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.
Getting started
AWS Setup
Installation (AWS)
You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment.
Create an S3 Bucket backend to keep Terraform state
export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region="us-west-2"
aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
--region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region
# Enable versioning
aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled
# Enable encryption
aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms"
}
}
]
}'
Apply TerraGoat (AWS)
cd terraform/aws/
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform apply
Remove TerraGoat (AWS)
terraform destroy
Creating multiple TerraGoat AWS stacks
cd terraform/aws/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform apply -auto-approve
done
Deleting multiple TerraGoat stacks (AWS)
cd terraform/aws/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform destroy -auto-approve
done
Azure Setup
Installation (Azure)
You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment.
Create an Azure Storage Account backend to keep Terraform state
export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG"
export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa"
export TERRAGOAT_STATE_CONTAINER="mydevsecops"
export TF_VAR_environment="dev"
export TF_VAR_region="westus"
# Create resource group
az group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP
# Create storage account
az storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob
# Get storage account key
ACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)
# Create blob container
az storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY
Apply TerraGoat (Azure)
cd terraform/azure/
terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \
-backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \
-backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \
-backend-config "key=$TF_VAR_environment.terraform.tfstate"
terraform apply
Remove TerraGoat (Azure)
terraform destroy
GCP Setup
Installation (GCP)
You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment.
Create a GCS backend to keep Terraform state
To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:
- Sign into your GCP project, go to
IAM>Service Accounts. - Click the
CREATE SERVICE ACCOUNT. - Give a name to your service account (for example -
terragoat) and clickCREATE. - Grant the Service Account the
Project>Editorrole and clickCONTINUE. - Click
DONE.
To create the credentials:
- Sign into your GCP project, go to
IAM>Service Accountsand click on the relevant Service Account. - Click
ADD KEY>Create new key>JSONand clickCREATE. This will create a.jsonfile and download it to your computer.
We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json), and storing the resulting JSON file inside terraform/gcp directory of terragoat.
Once the credentials are set up, create the BE configuration as follows:
export TF_VAR_environment="dev"
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=<YOUR_PROJECT_NAME_HERE>
# Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}
Apply TerraGoat (GCP)
cd terraform/gcp/
terraform init -reconfigure -backend-config="bucket=$TF_TERRAGOAT_STATE_BUCKET" \
-backend-config "credentials=$TF_VAR_credentials_path" \
-backend-config "prefix=terragoat/${TF_VAR_environment}"
terraform apply
Remove TerraGoat (GCP)
terraform destroy
Bridgecrew's IaC herd of goats
- CfnGoat - Vulnerable by design Cloudformation template
- TerraGoat - Vulnerable by design Terraform stack
- CDKGoat - Vulnerable by design CDK application
- kustomizegoat - Vulnerable by design kustomize deployment
Contributing
Contribution is welcomed!
We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.
Support
Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.
If you need direct support you can contact us at info@bridgecrew.io.
Existing vulnerabilities (Auto-Generated)
terraform scan results:
| check_id | file | resource | check_name | guideline | |
|---|---|---|---|---|---|
| 0 | CKV_ALI_10 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket has versioning enabled | |
| 1 | CKV_ALI_12 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure the OSS bucket has access logging enabled | |
| 2 | CKV_ALI_11 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket has transfer Acceleration enabled | |
| 3 | CKV_ALI_1 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Alibaba Cloud OSS bucket accessible to public | |
| 4 | CKV_ALI_6 | /alicloud/bucket.tf | alicloud_oss_bucket.bad_bucket | Ensure OSS bucket is encrypted with Customer Master Key | |
| 5 | CKV_ALI_36 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_disconnections enabled | |
| 6 | CKV_ALI_37 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_connections enabled | |
| 7 | CKV_ALI_34 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance is set to auto upgrade minor versions | |
| 8 | CKV_ALI_20 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance uses SSL | |
| 9 | CKV_ALI_30 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance auto upgrades for minor versions | |
| 10 | CKV_ALI_35 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS instance has log_duration enabled | |
| 11 | CKV_ALI_9 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure database instance is not public | |
| 12 | CKV_ALI_25 | /alicloud/rds.tf | alicloud_db_instance.seeme | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | |
| 13 | CKV_ALI_4 | /alicloud/trail.tf | alicloud_actiontrail_trail.fail | Ensure Action Trail Logging for all regions | |
| 14 | CKV_ALI_5 | /alicloud/trail.tf | alicloud_actiontrail_trail.fail | Ensure Action Trail Logging for all events | |
| 15 | CKV_ALI_10 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket has versioning enabled | |
| 16 | CKV_ALI_12 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure the OSS bucket has access logging enabled | |
| 17 | CKV_ALI_11 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket has transfer Acceleration enabled | |
| 18 | CKV_ALI_6 | /alicloud/trail.tf | alicloud_oss_bucket.trail | Ensure OSS bucket is encrypted with Customer Master Key | |
| 19 | CKV_AWS_157 | /aws/db-app.tf | aws_db_instance.default | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 |
| 20 | CKV_AWS_161 | /aws/db-app.tf | aws_db_instance.default | Ensure RDS database has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-database-has-iam-authentication-enabled |
| 21 | CKV_AWS_16 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 |
| 22 | CKV_AWS_226 | /aws/db-app.tf | aws_db_instance.default | Ensure DB instance gets all minor upgrades automatically | |
| 23 | CKV_AWS_17 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 |
| 24 | CKV_AWS_118 | /aws/db-app.tf | aws_db_instance.default | Ensure that enhanced monitoring is enabled for Amazon RDS instances | https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances |
| 25 | CKV_AWS_129 | /aws/db-app.tf | aws_db_instance.default | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | https://docs.bridgecrew.io/docs/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled |
| 26 | CKV_AWS_133 | /aws/db-app.tf | aws_db_instance.default | Ensure that RDS instances has backup policy | https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy |
| 27 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group.default | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
| 28 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group_rule.ingress | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
| 29 | CKV_AWS_23 | /aws/db-app.tf | aws_security_group_rule.egress | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
| 30 | CKV_AWS_79 | /aws/db-app.tf | aws_instance.db_app | Ensure Instance Metadata Service Version 1 is not enabled | https://docs.bridgecrew.io/docs/bc_aws_general_31 |
| 31 | CKV_AWS_135 | /aws/db-app.tf | aws_instance.db_app | Ensure that EC2 is EBS optimized | https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized |
| 32 | CKV_AWS_8 | /aws/db-app.tf | aws_instance.db_app | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | https://docs.bridgecrew.io/docs/general_13 |
| 33 | CKV_AWS_126 | /aws/db-app.tf | aws_instance.db_app | Ensure that detailed monitoring is enabled for EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances |
| 34 | CKV_AWS_79 | /aws/ec2.tf | aws_instance.web_host | Ensure Instance Metadata Service Version 1 is not enabled | https://docs.bridgecrew.io/docs/bc_aws_general_31 |
| 35 | CKV_AWS_135 | /aws/ec2.tf | aws_instance.web_host | Ensure that EC2 is EBS optimized | https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized |
| 36 | CKV_AWS_8 | /aws/ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | https://docs.bridgecrew.io/docs/general_13 |
| 37 | CKV_AWS_46 | /aws/ec2.tf | aws_instance.web_host | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 |
| 38 | CKV_AWS_126 | /aws/ec2.tf | aws_instance.web_host | Ensure that detailed monitoring is enabled for EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances |
| 39 | CKV_AWS_3 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume |
| 40 | CKV_AWS_189 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_109 |
| 41 | CKV_AWS_23 | /aws/ec2.tf | aws_security_group.web-node | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
| 42 | CKV_AWS_260 | /aws/ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | |
| 43 | CKV_AWS_24 | /aws/ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security |
| 44 | CKV_AWS_130 | /aws/ec2.tf | aws_subnet.web_subnet | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
| 45 | CKV_AWS_130 | /aws/ec2.tf | aws_subnet.web_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
| 46 | CKV_AWS_136 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure that ECR repositories are encrypted using KMS | https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted |
| 47 | CKV_AWS_51 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR Image Tags are immutable | https://docs.bridgecrew.io/docs/bc_aws_general_24 |
| 48 | CKV_AWS_163 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR image scanning on push is enabled | https://docs.bridgecrew.io/docs/general_8 |
| 49 | CKV_AWS_130 | /aws/eks.tf | aws_subnet.eks_subnet1 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
| 50 | CKV_AWS_130 | /aws/eks.tf | aws_subnet.eks_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
| 51 | CKV_AWS_39 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint disabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_2 |
| 52 | CKV_AWS_38 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_1 |
| 53 | CKV_AWS_37 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_4 |
| 54 | CKV_AWS_58 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 |
| 55 | CKV_AWS_127 | /aws/elb.tf | aws_elb.weblb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | https://docs.bridgecrew.io/docs/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager |
| 56 | CKV_AWS_92 | /aws/elb.tf | aws_elb.weblb | Ensure the ELB has access logging enabled | https://docs.bridgecrew.io/docs/bc_aws_logging_23 |
| 57 | CKV_AWS_111 | /aws/es.tf | aws_iam_policy_document.policy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |
| 58 | CKV_AWS_109 | /aws/es.tf | aws_iam_policy_document.policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint |
| 59 | CKV_AWS_137 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure that Elasticsearch is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-elasticsearch-is-configured-inside-a-vpc |
| 60 | CKV_AWS_247 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is encrypted with a CMK | |
| 61 | CKV_AWS_248 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure that Elasticsearch is not using the default Security Group | |
| 62 | CKV_AWS_228 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Verify Elasticsearch domain is using an up to date TLS policy | |
| 63 | CKV_AWS_84 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure Elasticsearch Domain Logging is enabled | https://docs.bridgecrew.io/docs/elasticsearch_7 |
| 64 | CKV_AWS_5 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is securely encrypted at rest | https://docs.bridgecrew.io/docs/elasticsearch_3-enable-encryptionatrest |
| 65 | CKV_AWS_7 | /aws/kms.tf | aws_kms_key.logs_key | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 |
| 66 | CKV_AWS_115 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit |
| 67 | CKV_AWS_45 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 |
| 68 | CKV_AWS_50 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | X-ray tracing is enabled for Lambda | https://docs.bridgecrew.io/docs/bc_aws_serverless_4 |
| 69 | CKV_AWS_117 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 |
| 70 | CKV_AWS_173 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Check encryption settings for Lambda environmental variable | https://docs.bridgecrew.io/docs/bc_aws_serverless_5 |
| 71 | CKV_AWS_116 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq |
| 72 | CKV_AWS_44 | /aws/neptune.tf | aws_neptune_cluster.default | Ensure Neptune storage is securely encrypted | https://docs.bridgecrew.io/docs/general_18 |
| 73 | CKV_AWS_101 | /aws/neptune.tf | aws_neptune_cluster.default | Ensure Neptune logging is enabled | https://docs.bridgecrew.io/docs/bc_aws_logging_24 |
| 74 | CKV_AWS_41 | /aws/providers.tf | aws.plain_text_access_keys_provider | Ensure no hard coded AWS access key and secret key exists in provider | https://docs.bridgecrew.io/docs/bc_aws_secrets_5 |
| 75 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 76 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 77 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 78 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 79 | CKV_AWS_133 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS instances has backup policy | https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy |
| 80 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 81 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 82 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 83 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 84 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 85 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 86 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 87 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 88 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 89 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 90 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 91 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 92 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 93 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 94 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 95 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 96 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 97 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 98 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 99 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 100 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 101 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 102 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 103 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 104 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 105 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 106 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 107 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 108 | CKV_AWS_128 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled |
| 109 | CKV_AWS_139 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that RDS clusters have deletion protection enabled | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled |
| 110 | CKV_AWS_96 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure all data stored in Aurora is securely encrypted at rest | https://docs.bridgecrew.io/docs/bc_aws_general_38 |
| 111 | CKV_AWS_162 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure RDS cluster has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled |
| 112 | CKV_AWS_186 | /aws/s3.tf | aws_s3_bucket_object.data_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_106 |
| 113 | CKV_AZURE_116 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses Azure Policies Add-on | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-azure-policies-add-on |
| 114 | CKV_AZURE_8 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure Kubernetes Dashboard is disabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5 |
| 115 | CKV_AZURE_4 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS logging to Azure Monitoring is Configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1 |
| 116 | CKV_AZURE_117 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses disk encryption set | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-disk-encryption-set |
| 117 | CKV_AZURE_115 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS enables private clusters | https://docs.bridgecrew.io/docs/ensure-that-aks-enables-private-clusters |
| 118 | CKV_AZURE_141 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS local admin account is disabled | |
| 119 | CKV_AZURE_7 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS cluster has Network Policy configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4 |
| 120 | CKV_AZURE_6 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3 |
| 121 | CKV_AZURE_5 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure RBAC is enabled on AKS clusters | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2 |
| 122 | CKV_AZURE_15 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_networking_6 |
| 123 | CKV_AZURE_78 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure FTP deployments are disabled | https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled |
| 124 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that 'HTTP Version' is the latest if used to run the web app | https://docs.bridgecrew.io/docs/bc_azr_networking_8 |
| 125 | CKV_AZURE_88 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that app services use Azure Files | https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files |
| 126 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure App Service Authentication is set on Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_general_2 |
| 127 | CKV_AZURE_71 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that Managed identity provider is enabled for app services | https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services |
| 128 | CKV_AZURE_80 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app |
| 129 | CKV_AZURE_65 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables detailed error messages | https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages |
| 130 | CKV_AZURE_63 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables HTTP logging | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging |
| 131 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | https://docs.bridgecrew.io/docs/bc_azr_networking_7 |
| 132 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that Register with Azure Active Directory is enabled on App Service | https://docs.bridgecrew.io/docs/bc_azr_iam_1 |
| 133 | CKV_AZURE_66 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that App service enables failed request tracing | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing |
| 134 | CKV_AZURE_14 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_networking_5 |
| 135 | CKV_AZURE_78 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure FTP deployments are disabled | https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled |
| 136 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that 'HTTP Version' is the latest if used to run the web app | https://docs.bridgecrew.io/docs/bc_azr_networking_8 |
| 137 | CKV_AZURE_88 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that app services use Azure Files | https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files |
| 138 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure App Service Authentication is set on Azure App Service | https://docs.bridgecrew.io/docs/bc_azr_general_2 |
| 139 | CKV_AZURE_71 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that Managed identity provider is enabled for app services | https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services |
| 140 | CKV_AZURE_80 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app |
| 141 | CKV_AZURE_65 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables detailed error messages | https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages |
| 142 | CKV_AZURE_63 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables HTTP logging | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging |
| 143 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | https://docs.bridgecrew.io/docs/bc_azr_networking_7 |
| 144 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that Register with Azure Active Directory is enabled on App Service | https://docs.bridgecrew.io/docs/bc_azr_iam_1 |
| 145 | CKV_AZURE_66 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that App service enables failed request tracing | https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing |
| 146 | CKV_AZURE_1 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | https://docs.bridgecrew.io/docs/bc_azr_networking_1 |
| 147 | CKV_AZURE_50 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure Virtual Machine Extensions are not Installed | https://docs.bridgecrew.io/docs/bc_azr_general_14 |
| 148 | CKV_AZURE_149 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure that Virtual machine does not enable password authentication | |
| 149 | CKV_AZURE_151 | /azure/instance.tf | azurerm_windows_virtual_machine.windows_machine | Ensure Windows VM enables encryption | |
| 150 | CKV_AZURE_50 | /azure/instance.tf | azurerm_windows_virtual_machine.windows_machine | Ensure Virtual Machine Extensions are not Installed | https://docs.bridgecrew.io/docs/bc_azr_general_14 |
| 151 | CKV_AZURE_109 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure that key vault allows firewall rules settings | https://docs.bridgecrew.io/docs/ensure-that-key-vault-allows-firewall-rules-settings |
| 152 | CKV_AZURE_42 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure the key vault is recoverable | https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable |
| 153 | CKV_AZURE_110 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure that key vault enables purge protection | https://docs.bridgecrew.io/docs/ensure-that-key-vault-enables-purge-protection |
| 154 | CKV_AZURE_112 | /azure/key_vault.tf | azurerm_key_vault_key.generated | Ensure that key vault key is backed by HSM | https://docs.bridgecrew.io/docs/ensure-that-key-vault-key-is-backed-by-hsm |
| 155 | CKV_AZURE_40 | /azure/key_vault.tf | azurerm_key_vault_key.generated | Ensure that the expiration date is set on all keys | https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-keys |
| 156 | CKV_AZURE_114 | /azure/key_vault.tf | azurerm_key_vault_secret.secret | Ensure that key vault secrets have "content_type" set | https://docs.bridgecrew.io/docs/ensure-that-key-vault-secrets-have-content_type-set |
| 157 | CKV_AZURE_41 | /azure/key_vault.tf | azurerm_key_vault_secret.secret | Ensure that the expiration date is set on all secrets | https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets |
| 158 | CKV_AZURE_38 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure audit profile captures all the activities | https://docs.bridgecrew.io/docs/ensure-audit-profile-captures-all-activities |
| 159 | CKV_AZURE_37 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure that Activity Log Retention is set 365 days or greater | https://docs.bridgecrew.io/docs/set-activity-log-retention-to-365-days-or-greater |
| 160 | CKV_AZURE_35 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure default network access rule for Storage Accounts is set to deny | https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny |
| 161 | CKV_AZURE_33 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service |
| 162 | CKV_AZURE_44 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure Storage Account is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_storage_2 |
| 163 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
| 164 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
| 165 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
| 166 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
| 167 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
| 168 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
| 169 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
| 170 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
| 171 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
| 172 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
| 173 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
| 174 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
| 175 | CKV_AZURE_52 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure MSSQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption |
| 176 | CKV_AZURE_113 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure that SQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access |
| 177 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy1 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 178 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy1 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 179 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy2 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 180 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy2 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 181 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy3 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 182 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy3 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 183 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy4 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 184 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy4 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 185 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 186 | CKV_AZURE_26 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Send Alerts To' is enabled for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_7 |
| 187 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy5 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 188 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy6 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 189 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy6 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 190 | CKV_AZURE_25 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy7 | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 191 | CKV_AZURE_27 | /azure/mssql.tf | azurerm_mssql_server_security_alert_policy.alertpolicy7 | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 192 | CKV_AZURE_10 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that SSH access is restricted from the internet | https://docs.bridgecrew.io/docs/bc_azr_networking_3 |
| 193 | CKV_AZURE_9 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that RDP access is restricted from the internet | https://docs.bridgecrew.io/docs/bc_azr_networking_2 |
| 194 | CKV_AZURE_12 | /azure/networking.tf | azurerm_network_watcher_flow_log.flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | https://docs.bridgecrew.io/docs/bc_azr_logging_1 |
| 195 | CKV_AZURE_39 | /azure/roles.tf | azurerm_role_definition.example | Ensure that no custom subscription owner roles are created | https://docs.bridgecrew.io/docs/do-not-create-custom-subscription-owner-roles |
| 196 | CKV_AZURE_19 | /azure/security_center.tf | azurerm_security_center_subscription_pricing.pricing | Ensure that standard pricing tier is selected | https://docs.bridgecrew.io/docs/ensure-standard-pricing-tier-is-selected |
| 197 | CKV_AZURE_20 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that security contact 'Phone number' is set | https://docs.bridgecrew.io/docs/bc_azr_general_3 |
| 198 | CKV_AZURE_22 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | https://docs.bridgecrew.io/docs/bc_azr_general_5 |
| 199 | CKV_AZURE_21 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | https://docs.bridgecrew.io/docs/bc_azr_general_4 |
| 200 | CKV_AZURE_25 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Threat Detection types' is set to 'All' | https://docs.bridgecrew.io/docs/bc_azr_general_6 |
| 201 | CKV_AZURE_26 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Send Alerts To' is enabled for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_7 |
| 202 | CKV_AZURE_27 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | https://docs.bridgecrew.io/docs/bc_azr_general_8 |
| 203 | CKV_AZURE_127 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that My SQL server enables Threat detection policy | https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-threat-detection-policy |
| 204 | CKV_AZURE_94 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that My SQL server enables geo-redundant backups | https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-geo-redundant-backups |
| 205 | CKV_AZURE_53 | /azure/sql.tf | azurerm_mysql_server.example | Ensure 'public network access enabled' is set to 'False' for mySQL servers | https://docs.bridgecrew.io/docs/ensure-public-network-access-enabled-is-set-to-false-for-mysql-servers |
| 206 | CKV_AZURE_54 | /azure/sql.tf | azurerm_mysql_server.example | Ensure MySQL is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/ensure-mysql-is-using-the-latest-version-of-tls-encryption |
| 207 | CKV_AZURE_28 | /azure/sql.tf | azurerm_mysql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_9 |
| 208 | CKV_AZURE_147 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure PostgreSQL is using the latest version of TLS encryption | |
| 209 | CKV_AZURE_130 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables infrastructure encryption | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-infrastructure-encryption |
| 210 | CKV_AZURE_29 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_10 |
| 211 | CKV_AZURE_128 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables Threat detection policy | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-threat-detection-policy |
| 212 | CKV_AZURE_102 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server enables geo-redundant backups | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-geo-redundant-backups |
| 213 | CKV_AZURE_68 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure that PostgreSQL server disables public network access | https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-disables-public-network-access |
| 214 | CKV_AZURE_32 | /azure/sql.tf | azurerm_postgresql_configuration.thrtottling_config | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_13 |
| 215 | CKV_AZURE_30 | /azure/sql.tf | azurerm_postgresql_configuration.example | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | https://docs.bridgecrew.io/docs/bc_azr_networking_11 |
| 216 | CKV_AZURE_2 | /azure/storage.tf | azurerm_managed_disk.example | Ensure Azure managed disk has encryption enabled | https://docs.bridgecrew.io/docs/bc_azr_general_1 |
| 217 | CKV_AZURE_93 | /azure/storage.tf | azurerm_managed_disk.example | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | https://docs.bridgecrew.io/docs/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption |
| 218 | CKV_AZURE_35 | /azure/storage.tf | azurerm_storage_account.example | Ensure default network access rule for Storage Accounts is set to deny | https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny |
| 219 | CKV_AZURE_3 | /azure/storage.tf | azurerm_storage_account.example | Ensure that 'Secure transfer required' is set to 'Enabled' | |
| 220 | CKV_AZURE_33 | /azure/storage.tf | azurerm_storage_account.example | Ensure Storage logging is enabled for Queue service for read, write and delete requests | https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service |
| 221 | CKV_AZURE_44 | /azure/storage.tf | azurerm_storage_account.example | Ensure Storage Account is using the latest version of TLS encryption | https://docs.bridgecrew.io/docs/bc_azr_storage_2 |
| 222 | CKV_AZURE_36 | /azure/storage.tf | azurerm_storage_account_network_rules.test | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access |
| 223 | CKV_GCP_6 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | https://docs.bridgecrew.io/docs/bc_gcp_general_1 |
| 224 | CKV_GCP_11 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure that Cloud SQL database Instances are not open to the world | https://docs.bridgecrew.io/docs/bc_gcp_networking_4 |
| 225 | CKV_GCP_79 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure SQL database is using latest Major version | |
| 226 | CKV_GCP_60 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure Cloud SQL database does not have public IP | https://docs.bridgecrew.io/docs/bc_gcp_sql_11 |
| 227 | CKV_GCP_14 | /gcp/big_data.tf | google_sql_database_instance.master_instance | Ensure all Cloud SQL database instance have backup configuration enabled | https://docs.bridgecrew.io/docs/bc_gcp_general_2 |
| 228 | CKV_GCP_15 | /gcp/big_data.tf | google_bigquery_dataset.dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | https://docs.bridgecrew.io/docs/bc_gcp_general_3 |
| 229 | CKV_GCP_81 | /gcp/big_data.tf | google_bigquery_dataset.dataset | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | |
| 230 | CKV_GCP_62 | /gcp/gcs.tf | google_storage_bucket.terragoat_website | Bucket should log access | https://docs.bridgecrew.io/docs/bc_gcp_logging_2 |
| 231 | CKV_GCP_78 | /gcp/gcs.tf | google_storage_bucket.terragoat_website | Ensure Cloud storage has versioning enabled | |
| 232 | CKV_GCP_29 | /gcp/gcs.tf | google_storage_bucket.terragoat_website | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | https://docs.bridgecrew.io/docs/bc_gcp_gcs_2 |
| 233 | CKV_GCP_28 | /gcp/gcs.tf | google_storage_bucket_iam_binding.allow_public_read | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | https://docs.bridgecrew.io/docs/bc_gcp_public_1 |
| 234 | CKV_GCP_70 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure the GKE Release Channel is set | https://docs.bridgecrew.io/docs/ensure-the-gke-release-channel-is-set |
| 235 | CKV_GCP_69 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure the GKE Metadata Server is Enabled | https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled |
| 236 | CKV_GCP_67 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | https://docs.bridgecrew.io/docs/ensure-legacy-compute-engine-instance-metadata-apis-are-disabled |
| 237 | CKV_GCP_19 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure GKE basic auth is disabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_11 |
| 238 | CKV_GCP_21 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Kubernetes Clusters are configured with Labels | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_13 |
| 239 | CKV_GCP_66 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure use of Binary Authorization | https://docs.bridgecrew.io/docs/ensure-use-of-binary-authorization |
| 240 | CKV_GCP_61 | /gcp/gke.tf | google_container_cluster.workload_cluster | Enable VPC Flow Logs and Intranode Visibility | https://docs.bridgecrew.io/docs/enable-vpc-flow-logs-and-intranode-visibility |
| 241 | CKV_GCP_25 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_6 |
| 242 | CKV_GCP_1 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_1 |
| 243 | CKV_GCP_18 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure GKE Control Plane is not public | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_10 |
| 244 | CKV_GCP_64 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure clusters are created with Private Nodes | https://docs.bridgecrew.io/docs/ensure-clusters-are-created-with-private-nodes |
| 245 | CKV_GCP_13 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_8 |
| 246 | CKV_GCP_12 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_7 |
| 247 | CKV_GCP_65 | /gcp/gke.tf | google_container_cluster.workload_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | https://docs.bridgecrew.io/docs/manage-kubernetes-rbac-users-with-google-groups-for-gke |
| 248 | CKV_GCP_24 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_9 |
| 249 | CKV_GCP_7 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_2 |
| 250 | CKV_GCP_23 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_15 |
| 251 | CKV_GCP_8 | /gcp/gke.tf | google_container_cluster.workload_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_3 |
| 252 | CKV_GCP_68 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | https://docs.bridgecrew.io/docs/ensure-secure-boot-for-shielded-gke-nodes-is-enabled |
| 253 | CKV_GCP_22 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_14 |
| 254 | CKV_GCP_69 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure the GKE Metadata Server is Enabled | https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled |
| 255 | CKV_GCP_9 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_4 |
| 256 | CKV_GCP_10 | /gcp/gke.tf | google_container_node_pool.custom_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_5 |
| 257 | CKV_GCP_38 | /gcp/instances.tf | google_compute_instance.server | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | https://docs.bridgecrew.io/docs/encrypt-boot-disks-for-instances-with-cseks |
| 258 | CKV_GCP_35 | /gcp/instances.tf | google_compute_instance.server | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | https://docs.bridgecrew.io/docs/bc_gcp_networking_11 |
| 259 | CKV_GCP_40 | /gcp/instances.tf | google_compute_instance.server | Ensure that Compute instances do not have public IP addresses | https://docs.bridgecrew.io/docs/bc_gcp_public_2 |
| 260 | CKV_GCP_34 | /gcp/instances.tf | google_compute_instance.server | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | https://docs.bridgecrew.io/docs/bc_gcp_networking_10 |
| 261 | CKV_GCP_30 | /gcp/instances.tf | google_compute_instance.server | Ensure that instances are not configured to use the default service account | https://docs.bridgecrew.io/docs/bc_gcp_iam_1 |
| 262 | CKV_GCP_36 | /gcp/instances.tf | google_compute_instance.server | Ensure that IP forwarding is not enabled on Instances | https://docs.bridgecrew.io/docs/bc_gcp_networking_12 |
| 263 | CKV_GCP_32 | /gcp/instances.tf | google_compute_instance.server | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | https://docs.bridgecrew.io/docs/bc_gcp_networking_8 |
| 264 | CKV_GCP_39 | /gcp/instances.tf | google_compute_instance.server | Ensure Compute instances are launched with Shielded VM enabled | https://docs.bridgecrew.io/docs/bc_gcp_general_y |
| 265 | CKV_GCP_37 | /gcp/instances.tf | google_compute_disk.unencrypted_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | https://docs.bridgecrew.io/docs/bc_gcp_general_x |
| 266 | CKV_GCP_74 | /gcp/networks.tf | google_compute_subnetwork.public-subnetwork | Ensure that private_ip_google_access is enabled for Subnet | |
| 267 | CKV_GCP_26 | /gcp/networks.tf | google_compute_subnetwork.public-subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | https://docs.bridgecrew.io/docs/bc_gcp_logging_1 |
| 268 | CKV_GCP_76 | /gcp/networks.tf | google_compute_subnetwork.public-subnetwork | Ensure that Private google access is enabled for IPV6 | |
| 269 | CKV_GCP_88 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted mysql access | |
| 270 | CKV_GCP_106 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | |
| 271 | CKV_GCP_77 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow on ftp port | |
| 272 | CKV_GCP_3 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted rdp access | https://docs.bridgecrew.io/docs/bc_gcp_networking_2 |
| 273 | CKV_GCP_75 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted FTP access | |
| 274 | CKV_GCP_2 | /gcp/networks.tf | google_compute_firewall.allow_all | Ensure Google compute firewall ingress does not allow unrestricted ssh access | https://docs.bridgecrew.io/docs/bc_gcp_networking_1 |
| 275 | CKV_OCI_9 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage is encrypted with Customer Managed Key | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-encrypted-with-customer-managed-key |
| 276 | CKV_OCI_8 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage has versioning enabled | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-has-versioning-enabled |
| 277 | CKV_OCI_7 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage bucket can emit object events | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-bucket-can-emit-object-events |
| 278 | CKV_OCI_10 | /oracle/bucket.tf | oci_objectstorage_bucket.secretsquirrel | Ensure OCI Object Storage is not Public | https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-not-public |
| 279 | CKV2_AWS_12 | /aws/eks.tf | aws_vpc.eks_vpc | Ensure the default security group of every VPC restricts all traffic | https://docs.bridgecrew.io/docs/networking_4 |
| 280 | CKV2_AWS_12 | /aws/ec2.tf | aws_vpc.web_vpc | Ensure the default security group of every VPC restricts all traffic | https://docs.bridgecrew.io/docs/networking_4 |
| 281 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app8-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 282 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app4-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 283 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app7-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 284 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app1-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 285 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app3-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 286 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app9-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 287 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app5-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 288 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app6-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 289 | CKV2_AWS_8 | /aws/rds.tf | aws_rds_cluster.app2-rds-cluster | Ensure that RDS clusters has backup plan of AWS Backup | https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup |
| 290 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.financials | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
| 291 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
| 292 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.data | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
| 293 | CKV_AWS_145 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
| 294 | CKV_AWS_145 | /aws/s3.tf | aws_s3_bucket.operations | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
| 295 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.financials | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
| 296 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.data | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
| 297 | CKV_AWS_18 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
| 298 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.operations | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
| 299 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.logs | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
| 300 | CKV2_AWS_11 | /aws/eks.tf | aws_vpc.eks_vpc | Ensure VPC flow logging is enabled in all VPCs | https://docs.bridgecrew.io/docs/logging_9-enable-vpc-flow-logging |
| 301 | CKV2_AWS_2 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure that only encrypted EBS volumes are attached to EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances |
| 302 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.financials | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
| 303 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
| 304 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.data | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
| 305 | CKV2_AWS_6 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
| 306 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.operations | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
| 307 | CKV2_AWS_6 | /aws/s3.tf | aws_s3_bucket.logs | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
| 308 | CKV_AWS_21 | /aws/s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
| 309 | CKV_AWS_21 | /aws/s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
| 310 | CKV_AWS_21 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
| 311 | CKV2_AZURE_7 | /azure/sql.tf | azurerm_sql_server.example | Ensure that Azure Active Directory Admin is configured | https://docs.bridgecrew.io/docs/ensure-that-azure-active-directory-admin-is-configured |
| 312 | CKV2_AZURE_1 | /azure/storage.tf | azurerm_storage_account.example | Ensure storage for critical data are encrypted with Customer Managed Key | https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key |
| 313 | CKV2_AZURE_1 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key |
| 314 | CKV2_AZURE_16 | /azure/sql.tf | azurerm_mysql_server.example | Ensure that MySQL server enables customer-managed key for encryption | https://docs.bridgecrew.io/docs/ensure-that-mysql-server-enables-customer-managed-key-for-encryption |
| 315 | CKV_AZURE_120 | /azure/application_gateway.tf | azurerm_application_gateway.network | Ensure that Application Gateway enables WAF | https://docs.bridgecrew.io/docs/ensure-that-application-gateway-enables-waf |
| 316 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.financials | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
| 317 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
| 318 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.data | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
| 319 | CKV_AWS_144 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
| 320 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.operations | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
| 321 | CKV_AWS_144 | /aws/s3.tf | aws_s3_bucket.logs | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
| 322 | CKV2_AZURE_18 | /azure/storage.tf | azurerm_storage_account.example | Ensure that Storage Accounts use customer-managed key for encryption | https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption |
| 323 | CKV2_AZURE_18 | /azure/mssql.tf | azurerm_storage_account.security_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption |
| 324 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
| 325 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
| 326 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
| 327 | CKV_AWS_19 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
| 328 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.operations | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
| 329 | CKV_AZURE_24 | /azure/sql.tf | azurerm_sql_server.example | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 330 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 331 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 332 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 333 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 334 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 335 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 336 | CKV_AZURE_24 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_3 |
| 337 | CKV_AZURE_23 | /azure/sql.tf | azurerm_sql_server.example | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
| 338 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql5 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
| 339 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql1 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
| 340 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql6 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
| 341 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql2 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
| 342 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql4 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
| 343 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql7 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
| 344 | CKV_AZURE_23 | /azure/mssql.tf | azurerm_mssql_server.mssql3 | Ensure that 'Auditing' is set to 'On' for SQL servers | https://docs.bridgecrew.io/docs/bc_azr_logging_2 |
dockerfile scan results:
| check_id | file | resource | check_name | guideline | |
|---|---|---|---|---|---|
| 0 | CKV_DOCKER_3 | /aws/resources/Dockerfile | /aws/resources/Dockerfile. | Ensure that a user for the container has been created | https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created |
| 1 | CKV_DOCKER_2 | /aws/resources/Dockerfile | /aws/resources/Dockerfile. | Ensure that HEALTHCHECK instructions have been added to container images | https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images |
secrets scan results:
| check_id | file | resource | check_name | guideline | |
|---|---|---|---|---|---|
| 0 | CKV_SECRET_2 | /aws/lambda.tf | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.bridgecrew.io/docs/git_secrets_2 |
| 1 | CKV_SECRET_6 | /aws/lambda.tf | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |
| 2 | CKV_SECRET_2 | /aws/providers.tf | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.bridgecrew.io/docs/git_secrets_2 |
| 3 | CKV_SECRET_6 | /aws/providers.tf | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |
| 4 | CKV_SECRET_6 | /azure/sql.tf | a57ae0fe47084bc8a05f69f3f8083896f8b437b0 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |