diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dd706cd999..faf86d173d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,7 +41,7 @@ jobs: - name: Create checkov reports run: | sleep $((RANDOM % 11)) - sh integration_tests/prepare_data.sh + ./integration_tests/prepare_data.sh ${{ matrix.python }} env: BC_KEY: ${{ secrets.BC_API_KEY }} - name: Run integration tests @@ -52,6 +52,12 @@ jobs: runs-on: [self-hosted, public, linux, x64] steps: - uses: actions/checkout@v2 + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v3 + with: + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} - name: Set up Python 3.7 uses: actions/setup-python@v2 with: @@ -86,7 +92,7 @@ jobs: export PYTHONPATH='.' git pull - for i in cloudformation terraform kubernetes serverless arm dockerfile all + for i in cloudformation terraform kubernetes serverless arm dockerfile secrets all do export scansdoc="docs/5.Policy Index/$i.md" echo "---" > "$scansdoc" @@ -137,6 +143,12 @@ jobs: runs-on: [self-hosted, public, linux, x64] steps: - uses: actions/checkout@v2 + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v3 + with: + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} - name: Set up Python 3.7 uses: actions/setup-python@v2 with: @@ -178,7 +190,7 @@ jobs: env: ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@master + uses: elgohr/Publish-Docker-Github-Action@v5 with: name: bridgecrew/checkov username: ${{ secrets.DOCKER_USERNAME }} @@ -200,7 +212,7 @@ jobs: env: ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@master + uses: elgohr/Publish-Docker-Github-Action@v5 with: name: bridgecrew/checkov-k8s username: ${{ secrets.DOCKER_USERNAME }} diff --git a/.github/workflows/pipenv-update.yml b/.github/workflows/pipenv-update.yml index 75556aae19..52146959d6 100644 --- a/.github/workflows/pipenv-update.yml +++ b/.github/workflows/pipenv-update.yml @@ -11,6 +11,12 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.head_ref }} + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v3 + with: + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} - uses: actions/setup-python@v2 with: python-version: 3.7 diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index e338ac0d40..20e9969a14 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -75,7 +75,7 @@ jobs: BC_KEY: ${{ secrets.BC_API_KEY }} run: | sleep $((RANDOM % 11)) - sh integration_tests/prepare_data.sh + ./integration_tests/prepare_data.sh 3.8 # Just making sure the API key tests don't run on PRs - name: Run integration tests run: | - pipenv run pytest integration_tests + pipenv run pytest integration_tests -k 'not api_key' diff --git a/INTHEWILD.md b/INTHEWILD.md index 2d3eb957c9..c7c59dcef9 100644 --- a/INTHEWILD.md +++ b/INTHEWILD.md @@ -16,4 +16,5 @@ Please send a PR with your company name and @githubhandle. 1. [Square](https://squareup.com/) [[@ac-square](https://github.com/ac-square), [@santoshankr](https://github.com/santoshankr)] 1. [Madhu Akula](https://madhuakula.com/) [[@madhuakula](https://github.com/madhuakula)] 1. [Royal Vopak N.V.](https://vopak.com/) [[@xmariopereira](https://github.com/xmariopereira)] +1. [Punk Security (UK)](https://punksecurity.co.uk/) [[@punksecurity](https://github.com/punk-security)] diff --git a/Pipfile b/Pipfile index ef3df7dbb1..438611179a 100644 --- a/Pipfile +++ b/Pipfile @@ -23,7 +23,7 @@ deep_merge = "*" tabulate = "*" colorama="*" termcolor="*" -junit-xml ="*" +junit-xml = ">=1.9" dpath = ">=1.5.0,<2" pyyaml = ">=5.4.1" boto3 = "==1.17.*" @@ -43,6 +43,7 @@ detect_secrets = "*" policyuniverse = "*" typing-extensions = "*" importlib-metadata = ">=0.12" +cfn-lint = "==0.53.*" [requires] python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock index 20d74fb8fe..614344ddcc 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "8dded0accadc2382e9bf421a3643aa1a4eb0a7ced54bffdbcb0a8e0e5502f2ac" + "sha256": "f2d62b9a4a56a6781ec34b7e7d2f8a77a0cbb42813f18b8889d8facf2b6dcb93" }, "pipfile-spec": 6, "requires": { @@ -16,6 +16,22 @@ ] }, "default": { + "attrs": { + "hashes": [ + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==21.2.0" + }, + "aws-sam-translator": { + "hashes": [ + "sha256:0ecadda9cf5ab2318f57f1253181a2151e4c53cd35d21717a923c075a5a65cb6", + "sha256:dc6b816bb5cfd9709299f9b263fc0cf5ae60aca4166d1c90413ece651f1556bb", + "sha256:ee7c7c5e44ec67202622ca877140545496527ffcc45da3beeda966f007443a88" + ], + "version": "==1.38.0" + }, "bc-python-hcl2": { "hashes": [ "sha256:46f525676842d5c232752f9655f138665a1fa317b04e26efee3f82101dae204b", @@ -62,6 +78,14 @@ ], "version": "==2021.5.30" }, + "cfn-lint": { + "hashes": [ + "sha256:b7f5964842f7a44c5af9c61d64308dc4bcb718cf5de5428781d5564e9663463d", + "sha256:d17359e3ca9477eccaea700fac4bf028f5bc368a338c017adde5187f2691cab8" + ], + "index": "pypi", + "version": "==0.53.0" + }, "charset-normalizer": { "hashes": [ "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", @@ -104,11 +128,11 @@ }, "configargparse": { "hashes": [ - "sha256:371f46577e76ec71a183b88378f36dd09f4b946f60fe60712f411b020f26b812", - "sha256:ebef7b5379600fa34c276debf36e72ac8b37e7e42e6f0cfaed49c61e206eb604" + "sha256:c39540eb4843883d526beeed912dc80c92481b0c13c9787c91e614a624de3666", + "sha256:f75b235a13dba6692ee9e019470e7bce41861d09606c39c41facb347c24ca3cf" ], "index": "pypi", - "version": "==1.5.1" + "version": "==1.5.2" }, "contextlib2": { "hashes": [ @@ -205,6 +229,29 @@ "index": "pypi", "version": "==0.10.0" }, + "jsonpatch": { + "hashes": [ + "sha256:26ac385719ac9f54df8a2f0827bb8253aa3ea8ab7b3368457bcdb8c14595a397", + "sha256:b6ddfe6c3db30d81a96aaeceb6baf916094ffa23d7dd5fa2c13e13f8b6e600c2" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.32" + }, + "jsonpointer": { + "hashes": [ + "sha256:150f80c5badd02c757da6644852f612f88e8b4bc2f9852dcbf557c8738919686", + "sha256:5a34b698db1eb79ceac454159d3f7c12a451a91f6334a4f638454327b7a89962" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==2.1" + }, + "jsonschema": { + "hashes": [ + "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163", + "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a" + ], + "version": "==3.2.0" + }, "junit-xml": { "hashes": [ "sha256:ec5ca1a55aefdd76d28fcc0b135251d156c7106fa979686a4b48d62b761b4732" @@ -306,6 +353,33 @@ "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.4.7" }, + "pyrsistent": { + "hashes": [ + "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", + "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", + "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", + "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", + "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", + "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", + "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", + "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", + "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", + "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", + "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", + "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", + "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", + "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", + "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", + "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", + "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", + "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", + "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", + "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", + "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" + ], + "markers": "python_version >= '3.6'", + "version": "==0.18.0" + }, "python-dateutil": { "hashes": [ "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86", @@ -453,11 +527,11 @@ }, "websocket-client": { "hashes": [ - "sha256:b68e4959d704768fa20e35c9d508c8dc2bbc041fd8d267c0d7345cffe2824568", - "sha256:e5c333bfa9fa739538b652b6f8c8fc2559f1d364243c8a689d7c0e1d41c2e611" + "sha256:4cf754af7e3b3ba76589d49f9e09fd9a6c0aae9b799a89124d656009c01a261d", + "sha256:8d07f155f8ed14ae3ced97bd7582b08f280bb1bfd27945f023ba2aceff05ab52" ], "markers": "python_version >= '3.6'", - "version": "==1.1.0" + "version": "==1.1.1" }, "zipp": { "hashes": [ @@ -567,14 +641,6 @@ "index": "pypi", "version": "==3.1.18" }, - "importlib-metadata": { - "hashes": [ - "sha256:0645585859e9a6689c523927a5032f2ba5919f1f7d0e84bd4533312320de1ff9", - "sha256:51c6635429c77cf1ae634c997ff9e53ca3438b495f10a55ba28594dd69764a8b" - ], - "index": "pypi", - "version": "==4.6.3" - }, "iniconfig": { "hashes": [ "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3", @@ -587,7 +653,6 @@ "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163", "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a" ], - "index": "pypi", "version": "==3.2.0" }, "packaging": { @@ -732,15 +797,6 @@ "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.10.2" }, - "typing-extensions": { - "hashes": [ - "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", - "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", - "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" - ], - "index": "pypi", - "version": "==3.10.0.0" - }, "urllib3-mock": { "hashes": [ "sha256:702c90042920d771c9902b7b5b542551cc57f259078f4eada47ab4e8cdd11f1a", @@ -748,14 +804,6 @@ ], "index": "pypi", "version": "==0.3.3" - }, - "zipp": { - "hashes": [ - "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3", - "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4" - ], - "markers": "python_version >= '3.6'", - "version": "==3.5.0" } } } diff --git a/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py b/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py index 785de178d0..335228b302 100644 --- a/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py +++ b/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py @@ -25,7 +25,7 @@ def __init__(self, name, check_id, port): self.port = port def is_port_in_range(self, portRange): - if re.match(PORT_RANGE, portRange): + if re.match(PORT_RANGE, str(portRange)): start, end = int(portRange.split('-')[0]), int(portRange.split('-')[1]) if start <= self.port <= end: return True diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index 05b1de9004..9634aed481 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -69,7 +69,7 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R # Split out nested resources from base resource for resource in definitions[arm_file]['resources']: - if "parent_name" in resource.keys(): + if isinstance(resource, dict) and "parent_name" in resource.keys(): continue nested_resources = [] nested_resources = arm_context_parser.search_deep_keys("resources", resource, []) diff --git a/checkov/cloudformation/cfn_utils.py b/checkov/cloudformation/cfn_utils.py index c020e9641c..0461dcb5dc 100644 --- a/checkov/cloudformation/cfn_utils.py +++ b/checkov/cloudformation/cfn_utils.py @@ -8,8 +8,7 @@ from checkov.cloudformation.checks.resource.base_registry import Registry from checkov.cloudformation.checks.resource.registry import cfn_registry from checkov.cloudformation.context_parser import ContextParser, ENDLINE, STARTLINE -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections -from checkov.cloudformation.parser import parse +from checkov.cloudformation.parser import parse, TemplateSections from checkov.cloudformation.parser.node import dict_node, list_node, str_node from checkov.common.runners.base_runner import filter_ignored_paths from checkov.runner_filter import RunnerFilter @@ -114,8 +113,9 @@ def get_folder_definitions( definitions_raw[relative_file_path] = template_lines else: logging.debug(f"Parsed file {file} incorrectly {template}") - except TypeError: - logging.info(f"CloudFormation skipping {file} as it is not a valid CF template") + except (TypeError, ValueError) as e: + logging.warning(f"CloudFormation skipping {file} as it is not a valid CF template\n{e}") + continue definitions = {create_file_abs_path(root_folder, file_path): v for (file_path, v) in definitions.items()} definitions_raw = {create_file_abs_path(root_folder, file_path): v for (file_path, v) in definitions_raw.items()} @@ -133,7 +133,7 @@ def build_definitions_context( for file_path_definition, definition in file_path_definitions.items(): if ( isinstance(file_path_definition, str_node) - and file_path_definition.upper() in CloudformationTemplateSections.__members__ + and file_path_definition.upper() in TemplateSections.__members__ and isinstance(definition, dict_node) ): # iterate on the actual objects of each definition @@ -165,7 +165,7 @@ def build_definitions_context( [file_path, str(file_path_definition), str(attribute)], {"start_line": start_line, "end_line": end_line, "code_lines": code_lines}, ) - if file_path_definition.upper() == CloudformationTemplateSections.RESOURCES.value.upper(): + if file_path_definition.upper() == TemplateSections.RESOURCES.value.upper(): skipped_checks = ContextParser.collect_skip_comments(code_lines) dpath.new( definitions_context, @@ -207,11 +207,4 @@ def create_definitions( if v and isinstance(v, dict_node) and v.__contains__("Resources") and isinstance(v["Resources"], dict_node) } definitions_raw = {k: v for k, v in definitions_raw.items() if k in definitions.keys()} - - for cf_file in definitions.keys(): - cf_context_parser = ContextParser(cf_file, definitions[cf_file], definitions_raw[cf_file]) - logging.debug( - "Template Dump for {}: {}".format(cf_file, json.dumps(definitions[cf_file], indent=2, default=str)) - ) - cf_context_parser.evaluate_default_refs() return definitions, definitions_raw diff --git a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py index cc5cb2e176..ac83bff526 100644 --- a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py +++ b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py @@ -4,6 +4,7 @@ from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck from checkov.common.models.enums import CheckResult, CheckCategories +ACCOUNT_ACCESS = re.compile(r'\d{12}|arn:aws:iam::\d{12}:root') class IAMRoleAllowAssumeFromAccount(BaseResourceCheck): def __init__(self): @@ -15,37 +16,24 @@ def __init__(self): def scan_resource_conf(self, conf): if 'AssumeRolePolicyDocument' in conf['Properties']: - if isinstance(conf['Properties']['AssumeRolePolicyDocument'], dict) and 'Fn::Sub' in conf['Properties']['AssumeRolePolicyDocument'].keys(): - assume_role_block = json.loads(conf['Properties']['AssumeRolePolicyDocument']['Fn::Sub']) - if 'Statement' in assume_role_block.keys(): - if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ - assume_role_block['Statement'][0]: - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - account_access = re.compile(r'\d{12}|arn:aws:iam::\d{12}:root') - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - if isinstance(assume_role_block['Statement'][0]['Principal']['AWS'], - list) and isinstance( - assume_role_block['Statement'][0]['Principal']['AWS'][0], str): - if re.match(account_access, - assume_role_block['Statement'][0]['Principal']['AWS'][0]): - return CheckResult.FAILED + assume_role_policy_doc = conf['Properties']['AssumeRolePolicyDocument'] + if isinstance(assume_role_policy_doc, dict) and 'Fn::Sub' in assume_role_policy_doc.keys(): + assume_role_block = json.loads(assume_role_policy_doc['Fn::Sub']) + elif isinstance(assume_role_policy_doc, str): + assume_role_block = json.loads(assume_role_policy_doc) else: - if isinstance(conf['Properties']['AssumeRolePolicyDocument'], str): - assume_role_block = json.loads(conf['Properties']['AssumeRolePolicyDocument']) - else: - assume_role_block = conf['Properties']['AssumeRolePolicyDocument'] - if 'Statement' in assume_role_block.keys(): - if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ - assume_role_block['Statement'][0]: - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - account_access = re.compile(r'\d{12}|arn:aws:iam::\d{12}:root') - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - if isinstance(assume_role_block['Statement'][0]['Principal']['AWS'], - list) and isinstance( - assume_role_block['Statement'][0]['Principal']['AWS'][0], str): - if re.match(account_access, - assume_role_block['Statement'][0]['Principal']['AWS'][0]): - return CheckResult.FAILED + assume_role_block = assume_role_policy_doc + else: + return CheckResult.UNKNOWN + + if 'Statement' in assume_role_block.keys(): + if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ + assume_role_block['Statement'][0]: + if 'AWS' in assume_role_block['Statement'][0]['Principal']: + if isinstance(assume_role_block['Statement'][0]['Principal']['AWS'],list) \ + and isinstance(assume_role_block['Statement'][0]['Principal']['AWS'][0], str): + if re.match(ACCOUNT_ACCESS, assume_role_block['Statement'][0]['Principal']['AWS'][0]): + return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py b/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..ae2ff148d8 --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py @@ -0,0 +1,26 @@ +from typing import Dict + +from checkov.cloudformation.parser.node import str_node, dict_node +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class QLDBLedgerDeletionProtection(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure QLDB ledger has deletion protection enabled" + id = "CKV_AWS_172" + supported_resources = ["AWS::QLDB::Ledger"] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str_node, dict_node]) -> CheckResult: + # deletion protection is enabled on default + if "DeletionProtection" not in conf.get("Properties", {}): + return CheckResult.PASSED + return super().scan_resource_conf(conf) + + def get_inspected_key(self) -> str: + return "Properties/DeletionProtection" + + +check = QLDBLedgerDeletionProtection() diff --git a/checkov/cloudformation/checks/resource/base_resource_value_check.py b/checkov/cloudformation/checks/resource/base_resource_value_check.py index 97ebec5228..d1b41166f7 100644 --- a/checkov/cloudformation/checks/resource/base_resource_value_check.py +++ b/checkov/cloudformation/checks/resource/base_resource_value_check.py @@ -8,6 +8,7 @@ from checkov.cloudformation.parser.node import str_node from checkov.common.models.consts import ANY_VALUE from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.common.util.type_forcers import force_list VARIABLE_DEPENDANT_REGEX = r"(?:Ref)\.[^\s]+" @@ -100,3 +101,6 @@ def get_expected_value(self) -> Any: Returns the default expected value, governed by provider best practices """ return True + + def get_evaluated_keys(self) -> List[str]: + return force_list(self.get_inspected_key()) diff --git a/checkov/cloudformation/context_parser.py b/checkov/cloudformation/context_parser.py index 1b2e9fa7e0..9b871f7dd0 100644 --- a/checkov/cloudformation/context_parser.py +++ b/checkov/cloudformation/context_parser.py @@ -32,7 +32,7 @@ def evaluate_default_refs(self) -> None: ref.pop() # Get rid of the 'Ref' dict key # TODO refactor into evaluations - default_value = self.cf_template.get("Parameters", {}).get(refname, {}).get("Default") + default_value = self.cf_template.get("Parameters", {}).get(refname, {}).get("Properties", {}).get("Default") if default_value is not None: logging.debug( "Replacing Ref {} in file {} with default parameter value: {}".format( diff --git a/checkov/cloudformation/graph_builder/graph_components/block_types.py b/checkov/cloudformation/graph_builder/graph_components/block_types.py index 1242fa6c56..9333c810eb 100644 --- a/checkov/cloudformation/graph_builder/graph_components/block_types.py +++ b/checkov/cloudformation/graph_builder/graph_components/block_types.py @@ -13,14 +13,3 @@ class BlockType(CommonBlockType): CONDITION = "conditions" TRANSFORM = "transform" OUTPUT = "outputs" - - -class CloudformationTemplateSections(str, Enum): - RESOURCES = "Resources" - METADATA = "Metadata" - PARAMETERS = "Parameters" - RULES = "Rules" - MAPPINGS = "Mappings" - CONDITIONS = "Conditions" - TRANSFORM = "Transform" - OUTPUTS = "Outputs" diff --git a/checkov/cloudformation/graph_builder/graph_to_definitions.py b/checkov/cloudformation/graph_builder/graph_to_definitions.py index 3f967ff6f1..a8ced5d5ca 100644 --- a/checkov/cloudformation/graph_builder/graph_to_definitions.py +++ b/checkov/cloudformation/graph_builder/graph_to_definitions.py @@ -1,9 +1,9 @@ import os from typing import List, Dict, Any, Tuple -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections, BlockType +from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType +from checkov.cloudformation.parser import TemplateSections from checkov.cloudformation.graph_builder.graph_components.blocks import CloudformationBlock -from checkov.cloudformation.parser.node import dict_node def convert_graph_vertices_to_definitions( @@ -12,14 +12,14 @@ def convert_graph_vertices_to_definitions( definitions: Dict[str, Dict[str, Any]] = {} breadcrumbs: Dict[str, Dict[str, Any]] = {} for vertex in vertices: - if vertex.block_type != BlockType.RESOURCE: + if vertex.block_type != BlockType.RESOURCE and vertex.block_type != BlockType.PARAMETER: continue block_path = vertex.path - block_type = CloudformationTemplateSections.RESOURCES.value if vertex.block_type == 'resource' else vertex.block_type + block_type = TemplateSections.RESOURCES.value if vertex.block_type == 'resource' else TemplateSections.PARAMETERS.value block_name = vertex.name.split('.')[-1] # vertex.name is "type.name" so type.name -> [type, name] definition = { - 'Type': vertex.attributes['resource_type'], + 'Type': vertex.attributes['resource_type'] if vertex.block_type == BlockType.RESOURCE else vertex.block_type, 'Properties': vertex.config } definitions.setdefault(block_path, {}).setdefault(block_type, {}).setdefault(block_name, definition) diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 52e1e7020c..d2f43edbd3 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -1,21 +1,44 @@ import logging -from typing import Dict, Any +import re +from inspect import ismethod +from typing import Dict, Any, Optional -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections, BlockType +from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType from checkov.cloudformation.graph_builder.graph_components.blocks import CloudformationBlock +from checkov.cloudformation.parser.cfn_keywords import IntrinsicFunctions, ConditionFunctions, ResourceAttributes, \ + TemplateSections from checkov.cloudformation.parser.node import dict_node +from checkov.common.graph.graph_builder import Edge from checkov.common.graph.graph_builder.local_graph import LocalGraph +from cfnlint.template import Template class CloudformationLocalGraph(LocalGraph): + SUPPORTED_RESOURCE_ATTR_CONNECTION_KEYS = (ResourceAttributes.DEPENDS_ON, IntrinsicFunctions.CONDITION) + SUPPORTED_FN_CONNECTION_KEYS = (IntrinsicFunctions.GET_ATT, ConditionFunctions.IF, + IntrinsicFunctions.REF, IntrinsicFunctions.FIND_IN_MAP) + def __init__(self, cfn_definitions: Dict[str, dict_node], source: str = "CloudFormation") -> None: super().__init__() self.definitions = cfn_definitions self.source = source + self._vertices_indexes = {} + self._templates = {} + self._edges_set = set() + self._templates = {file_path: Template(file_path, definition) + for file_path, definition in self.definitions.items()} + self._connection_key_func = { + IntrinsicFunctions.GET_ATT: self._fetch_getatt_target_id, + ConditionFunctions.IF: self._fetch_if_target_id, + IntrinsicFunctions.REF: self._fetch_ref_target_id, + IntrinsicFunctions.FIND_IN_MAP: self._fetch_findinmap_target_id + } def build_graph(self, render_variables: bool) -> None: self._create_vertices() logging.info(f"[CloudformationLocalGraph] created {len(self.vertices)} vertices") + self._create_edges() + logging.info(f"[CloudformationLocalGraph] created {len(self.edges)} edges") def _create_vertices(self) -> None: @@ -30,24 +53,23 @@ def extract_resource_attributes(resource: dict_node) -> dict_node: return attributes for file_path, file_conf in self.definitions.items(): - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.RESOURCES, + self._create_section_vertices(file_path, file_conf, TemplateSections.RESOURCES, BlockType.RESOURCE, extract_resource_attributes) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.OUTPUTS, BlockType.OUTPUT) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.MAPPINGS, BlockType.MAPPING) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.CONDITIONS, + self._create_section_vertices(file_path, file_conf, TemplateSections.OUTPUTS, BlockType.OUTPUT) + self._create_section_vertices(file_path, file_conf, TemplateSections.MAPPINGS, BlockType.MAPPING) + self._create_section_vertices(file_path, file_conf, TemplateSections.CONDITIONS, BlockType.CONDITION) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.PARAMETERS, + self._create_section_vertices(file_path, file_conf, TemplateSections.PARAMETERS, BlockType.PARAMETER) for i, vertex in enumerate(self.vertices): self.vertices_by_block_type[vertex.block_type].append(i) self.vertices_block_name_map[vertex.block_type][vertex.name].append(i) - - def _create_section_vertices(self, file_path: str, file_conf: dict, section: CloudformationTemplateSections, + def _create_section_vertices(self, file_path: str, file_conf: dict, section: TemplateSections, block_type: str, attributes_operator: callable = lambda a: a) -> None: for name, obj in get_only_dict_items(file_conf.get(section.value, {})).items(): - is_resources_section = section == CloudformationTemplateSections.RESOURCES + is_resources_section = section == TemplateSections.RESOURCES attributes = attributes_operator(obj) block_name = name if not is_resources_section else f"{obj.get('Type', 'UnTyped')}.{name}" config = obj if not is_resources_section else obj.get("Properties") @@ -62,5 +84,188 @@ def _create_section_vertices(self, file_path: str, file_conf: dict, section: Clo source=self.source )) + if not self._vertices_indexes.get(file_path): + self._vertices_indexes[file_path] = {} + self._vertices_indexes[file_path][name] = len(self.vertices) - 1 + + def _add_resource_attr_connections(self, attribute): + if attribute not in self.SUPPORTED_RESOURCE_ATTR_CONNECTION_KEYS: + return + for origin_node_index, vertex in enumerate(self.vertices): + if vertex.block_type == BlockType.RESOURCE: + vertex_path = vertex.path + vertex_name = vertex.name.split('.')[-1] + target_ids = self.definitions.get(vertex_path, {})\ + .get(TemplateSections.RESOURCES.value, {}).get(vertex_name, {}).get(attribute, None) + target_ids = [target_ids] if isinstance(target_ids, str) else target_ids + if isinstance(target_ids, list): + for target_id in target_ids: + if isinstance(target_id, str): + dest_vertex_index = self._vertices_indexes.get(vertex_path, {}).get(target_id, None) + if dest_vertex_index is not None: + self._create_edge(origin_node_index, dest_vertex_index, label=attribute) + else: + logging.info(f"[CloudformationLocalGraph] didnt create edge for target_id {target_id}" + f"and vertex_path {vertex_path} as target_id is not a string") + else: + logging.info(f"[CloudformationLocalGraph] didnt create edge for target_ids {target_ids}" + f"and vertex_path {vertex_path} as target_ids is not a list") + + def _extract_source_value_attrs(self, matching_path): + """ matching_path for Resource = [template_section, source_id, 'Properties', ... , key, value] + matching_path otherwise = # matching_path for Resource = [template_section, source_id, ... , key, value] + key = a member of SUPPORTED_FN_CONNECTION_KEYS """ + template_section = matching_path[0] + source_id = matching_path[1] + value = matching_path[-1] + attrs_starting_index = 3 if template_section == TemplateSections.RESOURCES else 2 + attributes = matching_path[attrs_starting_index:-2] + return source_id, value, attributes + + def _add_fn_connections(self, key) -> None: + if key not in self.SUPPORTED_FN_CONNECTION_KEYS: + return + extract_target_id_func = self._connection_key_func.get(key, None) + if not ismethod(extract_target_id_func): + return + + for file_path, template in self._templates.items(): + matching_paths = template.search_deep_keys(key) + for matching_path in matching_paths: + source_id, value, attributes = self._extract_source_value_attrs(matching_path) + target_id = extract_target_id_func(template, value) + if target_id: + origin_vertex_index, dest_vertex_index, label = self._extract_origin_dest_label( + file_path, source_id, target_id, attributes) + if origin_vertex_index is not None and dest_vertex_index is not None: + self._create_edge(origin_vertex_index, dest_vertex_index, label) + + def _fetch_if_target_id(self, template, value) -> Optional[int]: + target_id = None + # value = [condition_name, value_if_true, value_if_false] + if isinstance(value, list) and len(value) == 3 and (self._is_condition(template, value[0])): + target_id = value[0] + return target_id + + def _fetch_getatt_target_id(self, template, value) -> Optional[int]: + """ might be one of the 2 following notations: + 1st: { "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] } + 2nd: { "!GetAtt" : "logicalNameOfResource.attributeName" } """ + target_id = None + + # Fn::GetAtt notation + if isinstance(value, list) and len(value) == 2 and (self._is_resource(template, value[0])): + target_id = value[0] + + # !GetAtt notation + if isinstance(value, str) and '.' in value: + resource_id = value.split('.')[0] + if self._is_resource(template, resource_id): + target_id = resource_id + + return target_id + + def _fetch_ref_target_id(self, template, value) -> Optional[int]: + target_id = None + # value might be a string or a list of strings + if isinstance(value, (str, int)) \ + and ((self._is_resource(template, value)) or (self._is_parameter(template, value))): + target_id = value + return target_id + + def _fetch_findinmap_target_id(self, template, value) -> Optional[int]: + target_id = None + # value = [ MapName, TopLevelKey, SecondLevelKey ] + if isinstance(value, list) and len(value) == 3 and (self._is_mapping(template, value[0])): + target_id = value[0] + return target_id + + def _add_fn_sub_connections(self): + for file_path, template in self._templates.items(): + # add edges for "Fn::Sub" tags. E.g. { "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}" } + sub_objs = template.search_deep_keys(IntrinsicFunctions.SUB) + for sub_obj in sub_objs: + sub_parameters = [] + sub_parameter_values = {} + source_id, value, attributes = self._extract_source_value_attrs(sub_obj) + + if isinstance(value, list): + if not value: + continue + if len(value) == 2: + sub_parameter_values = value[1] + sub_parameters = self._find_fn_sub_parameter(value[0]) + elif isinstance(value, str): + sub_parameters = self._find_fn_sub_parameter(value) + + for sub_parameter in sub_parameters: + if sub_parameter not in sub_parameter_values: + if '.' in sub_parameter: + sub_parameter = sub_parameter.split('.')[0] + origin_vertex_index, dest_vertex_index, label = self._extract_origin_dest_label( + file_path, source_id, sub_parameter, attributes) + if origin_vertex_index is not None and dest_vertex_index is not None: + self._create_edge(origin_vertex_index, dest_vertex_index, label) + + def _extract_origin_dest_label(self, file_path, source_id, target_id, attributes): + origin_vertex_index = self._vertices_indexes.get(file_path, {}).get(source_id, None) + dest_vertex_index = self._vertices_indexes.get(file_path, {}).get(target_id, None) + attributes_joined = '.'.join(map(str, attributes)) # mapping all attributes to str because one of the attrs might be an int + return origin_vertex_index, dest_vertex_index, attributes_joined + + @staticmethod + def _find_fn_sub_parameter(string): + """Search string for tokenized fields""" + regex = re.compile(r'\${([a-zA-Z0-9.]*)}') + return regex.findall(string) + + def _create_edges(self) -> None: + self._add_resource_attr_connections(ResourceAttributes.DEPENDS_ON) + self._add_resource_attr_connections(IntrinsicFunctions.CONDITION) + self._add_fn_connections(IntrinsicFunctions.GET_ATT) + self._add_fn_connections(ConditionFunctions.IF) + self._add_fn_connections(IntrinsicFunctions.REF) + self._add_fn_connections(IntrinsicFunctions.FIND_IN_MAP) + self._add_fn_sub_connections() + + def _create_edge(self, origin_vertex_index: int, dest_vertex_index: int, label: str) -> None: + if origin_vertex_index == dest_vertex_index: + return + edge = Edge(origin_vertex_index, dest_vertex_index, label) + if edge not in self._edges_set: + self._edges_set.add(edge) + self.edges.append(edge) + self.out_edges[origin_vertex_index].append(edge) + self.in_edges[dest_vertex_index].append(edge) + + @staticmethod + def _is_parameter(template, identifier): + """Check if the identifier is that of a Parameter""" + if isinstance(identifier, str): + return template.template.get(TemplateSections.PARAMETERS, {}).get(identifier, {}) + return False + + @staticmethod + def _is_mapping(template, identifier): + """Check if the identifier is that of a Mapping""" + if isinstance(identifier, str): + return template.template.get(TemplateSections.MAPPINGS, {}).get(identifier, {}) + return False + + @staticmethod + def _is_condition(template, identifier): + """Check if the identifier is that of a Condition""" + if isinstance(identifier, str): + return template.template.get(TemplateSections.CONDITIONS, {}).get(identifier, {}) + return False + + @staticmethod + def _is_resource(template, identifier): + """Check if the identifier is that of a Resource""" + if isinstance(identifier, str): + return template.template.get(TemplateSections.RESOURCES, {}).get(identifier, {}) + return False + + def get_only_dict_items(origin_dict: Dict[str, Any]) -> Dict[str, Dict[str, Any]]: return {key: value for key, value in origin_dict.items() if isinstance(value, dict)} diff --git a/checkov/cloudformation/graph_manager.py b/checkov/cloudformation/graph_manager.py index 84d072e29f..4561f0a77c 100644 --- a/checkov/cloudformation/graph_manager.py +++ b/checkov/cloudformation/graph_manager.py @@ -4,6 +4,7 @@ from checkov.cloudformation.cfn_utils import get_folder_definitions from checkov.cloudformation.context_parser import ContextParser +from checkov.cloudformation.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions from checkov.cloudformation.graph_builder.local_graph import CloudformationLocalGraph from checkov.cloudformation.parser.node import dict_node from checkov.common.graph.db_connectors.db_connector import DBConnector @@ -25,19 +26,20 @@ def build_graph_from_source_directory( ) -> Tuple[CloudformationLocalGraph, Dict[str, dict_node]]: logging.info("[CloudformationGraphManager] Parsing files in source dir {source_dir}") definitions, definitions_raw = get_folder_definitions(source_dir, excluded_paths) - if render_variables: - for cf_file in definitions: - cf_context_parser = ContextParser(cf_file, definitions[cf_file], definitions_raw[cf_file]) + local_graph = self.build_graph_from_definitions(definitions, render_variables) + rendered_definitions, _ = convert_graph_vertices_to_definitions(local_graph.vertices, source_dir) + + # TODO: replace with real graph rendering + for cf_file in rendered_definitions.keys(): + file_definition = rendered_definitions.get(cf_file, None) + file_definition_raw = definitions_raw.get(cf_file, None) + if file_definition is not None and file_definition_raw is not None: + cf_context_parser = ContextParser(cf_file, file_definition, file_definition_raw) logging.debug( - "Template Dump for {}: {}".format(cf_file, json.dumps(definitions[cf_file], indent=2, default=str)) + "Template Dump for {}: {}".format(cf_file, json.dumps(file_definition, indent=2, default=str)) ) cf_context_parser.evaluate_default_refs() - logging.info("[CloudformationGraphManager] Building graph from parsed definitions") - - local_graph = local_graph_class(definitions, source=self.source) - local_graph.build_graph(render_variables=render_variables) - - return local_graph, definitions + return local_graph, rendered_definitions def build_graph_from_definitions( self, definitions: Dict[str, dict_node], render_variables: bool = False diff --git a/checkov/cloudformation/parser/__init__.py b/checkov/cloudformation/parser/__init__.py index 7b9d3af592..9417c3e18a 100644 --- a/checkov/cloudformation/parser/__init__.py +++ b/checkov/cloudformation/parser/__init__.py @@ -4,6 +4,7 @@ from checkov.cloudformation.parser import cfn_yaml, cfn_json from checkov.cloudformation.parser.node import dict_node +from checkov.cloudformation.parser.cfn_keywords import TemplateSections from yaml.parser import ScannerError from yaml import YAMLError @@ -43,4 +44,11 @@ def parse(filename: str) -> Union[Tuple[dict_node, List[Tuple[int, str]]], Tuple except YAMLError as err: pass + if isinstance(template, dict): + resources = template.get(TemplateSections.RESOURCES.value, None) + if resources: + if '__startline__' in resources: + del resources['__startline__'] + if '__endline__' in resources: + del resources['__endline__'] return template, template_lines diff --git a/checkov/cloudformation/parser/cfn_keywords.py b/checkov/cloudformation/parser/cfn_keywords.py new file mode 100644 index 0000000000..b891162901 --- /dev/null +++ b/checkov/cloudformation/parser/cfn_keywords.py @@ -0,0 +1,49 @@ +from dataclasses import dataclass +from enum import Enum + + +@dataclass +class IntrinsicFunctions: + BASE64 = "Fn::Base64" + CIDR = "Fn::Cidr" + FIND_IN_MAP = "Fn::FindInMap" + GET_ATT = "Fn::GetAtt" + GET_AZS = "Fn::GetAZs" + IMPORT_VALUE = "Fn::ImportValue" + JOIN = "Fn::Join" + SELECT = "Fn::Select" + SPLIT = "Fn::Split" + SUB = "Fn::Sub" + TRANSFORM = "Fn::Transform" + REF = "Ref" + CONDITION = "Condition" + + +@dataclass +class ConditionFunctions: + AND = "Fn::And" + EQUALS = "Fn::Equals" + IF = "Fn::If" + NOT = "Fn::Not" + OR = "Fn::Or" + + +@dataclass +class ResourceAttributes: + CREATION_POLICY = "CreationPolicy" + DELETION_POLICY = "DeletionPolicy" + DEPENDS_ON = "DependsOn" + METADATA = "Metadata" + UPDATE_POLICY = "UpdatePolicy" + UPDATE_REPLACE_POLICY = "UpdateReplacePolicy" + + +class TemplateSections(str, Enum): + RESOURCES = "Resources" + METADATA = "Metadata" + PARAMETERS = "Parameters" + RULES = "Rules" + MAPPINGS = "Mappings" + CONDITIONS = "Conditions" + TRANSFORM = "Transform" + OUTPUTS = "Outputs" diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index bf7bd510f0..9d7440e060 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -1,3 +1,4 @@ +import json import logging import os from typing import Optional, List @@ -6,7 +7,7 @@ from checkov.cloudformation.cfn_utils import create_definitions, build_definitions_context from checkov.cloudformation.checks.resource.registry import cfn_registry from checkov.cloudformation.context_parser import ContextParser -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections +from checkov.cloudformation.parser.cfn_keywords import TemplateSections from checkov.cloudformation.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions from checkov.cloudformation.graph_builder.local_graph import CloudformationLocalGraph from checkov.cloudformation.graph_manager import CloudformationGraphManager @@ -64,6 +65,17 @@ def run( self.graph_manager.save_graph(local_graph) self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions(local_graph.vertices, root_folder) + # TODO: replace with real graph rendering + for cf_file in self.definitions.keys(): + file_definition = self.definitions.get(cf_file, None) + file_definition_raw = self.definitions_raw.get(cf_file, None) + if file_definition is not None and file_definition_raw is not None: + cf_context_parser = ContextParser(cf_file, file_definition, file_definition_raw) + logging.debug( + "Template Dump for {}: {}".format(cf_file, json.dumps(file_definition, indent=2, default=str)) + ) + cf_context_parser.evaluate_default_refs() + # run checks self.check_definitions(root_folder, runner_filter, report) @@ -78,13 +90,13 @@ def check_definitions(self, root_folder, runner_filter, report): cf_file = f"/{os.path.relpath(file_abs_path, root_folder)}" - if isinstance(definition, dict) and CloudformationTemplateSections.RESOURCES in definition.keys(): - for resource_name, resource in definition[CloudformationTemplateSections.RESOURCES].items(): + if isinstance(definition, dict) and TemplateSections.RESOURCES in definition.keys(): + for resource_name, resource in definition[TemplateSections.RESOURCES].items(): resource_id = ContextParser.extract_cf_resource_id(resource, resource_name) # check that the resource can be parsed as a CF resource if resource_id: resource_context = self.context[file_abs_path][ - CloudformationTemplateSections.RESOURCES][resource_name] + TemplateSections.RESOURCES][resource_name] entity_lines_range = [resource_context['start_line'], resource_context['end_line']] entity_code_lines = resource_context['code_lines'] if entity_lines_range and entity_code_lines: @@ -121,7 +133,7 @@ def get_graph_checks_report(self, root_folder: str, runner_filter: RunnerFilter) entity_file_abs_path = entity.get(CustomAttributes.FILE_PATH) entity_file_path = scanned_file = f"/{os.path.relpath(entity_file_abs_path, root_folder)}" entity_name = entity.get(CustomAttributes.BLOCK_NAME).split(".")[1] - entity_context = self.context[entity_file_abs_path][CloudformationTemplateSections.RESOURCES][ + entity_context = self.context[entity_file_abs_path][TemplateSections.RESOURCES][ entity_name ] diff --git a/checkov/common/bridgecrew/bc_source.py b/checkov/common/bridgecrew/bc_source.py index 0bc64c6d55..2193aae90e 100644 --- a/checkov/common/bridgecrew/bc_source.py +++ b/checkov/common/bridgecrew/bc_source.py @@ -11,12 +11,14 @@ def __init__(self, name: str, upload_results: bool): class BCSourceType: VSCODE = 'vscode' CLI = 'cli' + KUBERNETES_WORKLOADS = 'kubernetesWorkloads' DISABLED = 'disabled' # use this as a placeholder for generic no-upload logic SourceTypes = { BCSourceType.VSCODE: SourceType(BCSourceType.VSCODE, False), BCSourceType.CLI: SourceType(BCSourceType.CLI, True), + BCSourceType.KUBERNETES_WORKLOADS: SourceType(BCSourceType.KUBERNETES_WORKLOADS, True), BCSourceType.DISABLED: SourceType(BCSourceType.VSCODE, False) } diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py index 10e6958609..62d6f337a2 100644 --- a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py @@ -85,10 +85,10 @@ def _check_suppression(self, record, suppression): elif type == 'Accounts': # This should be true, because we validated when we downloaded the policies. # But checking here adds some resiliency against bugs if that changes. - return self.bc_integration.repo_id in suppression['accountIds'] + return any(self._repo_matches(account) for account in suppression['accountIds']) elif type == 'Resources': for resource in suppression['resources']: - if resource['accountId'] == self.bc_integration.repo_id and resource['resourceId'] == f'{record.repo_file_path}:{record.resource}': + if self._repo_matches(resource['accountId']) and resource['resourceId'] == f'{record.repo_file_path}:{record.resource}': return True return False elif type == 'Tags': @@ -138,10 +138,14 @@ def _suppression_valid_for_run(self, suppression): return False if suppression['suppressionType'] == 'Accounts': - if self.bc_integration.repo_id not in suppression['accountIds']: + if not any(self._repo_matches(account) for account in suppression['accountIds']): return False return True + def _repo_matches(self, repo_name): + # matches xyz_org/repo or org/repo (where xyz is the BC org name and the CLI repo prefix from the platform) + return re.match(f'^(\\w+_)?{self.bc_integration.repo_id}$', repo_name) is not None + integration = SuppressionsIntegration(bc_integration) diff --git a/checkov/common/bridgecrew/platform_integration.py b/checkov/common/bridgecrew/platform_integration.py index c29e7ecc20..f52a53e612 100644 --- a/checkov/common/bridgecrew/platform_integration.py +++ b/checkov/common/bridgecrew/platform_integration.py @@ -1,20 +1,21 @@ +import json +import logging import os.path +import re +import time +import webbrowser from concurrent import futures +from json import JSONDecodeError +from os import path from time import sleep +from typing import Optional import boto3 import dpath.util -import json -import logging -import re import requests import urllib3 -import webbrowser from botocore.exceptions import ClientError from colorama import Style -# from git import Repo -from json import JSONDecodeError -from os import path from termcolor import colored from tqdm import trange from urllib3.exceptions import HTTPError @@ -35,7 +36,7 @@ UNAUTHORIZED_MESSAGE = 'User is not authorized to access this resource with an explicit deny' DEFAULT_REGION = "us-west-2" - +MAX_RETRIES = 10 ONBOARDING_SOURCE = "checkov" SIGNUP_HEADER = { @@ -44,6 +45,7 @@ 'Content-Type': 'application/json;charset=UTF-8' } + class BcPlatformIntegration(object): def __init__(self): self.bc_api_key = read_key() @@ -144,7 +146,7 @@ def setup_bridgecrew_credentials(self, bc_api_key, repo_id, skip_fixes=False, sk def get_s3_role(self, bc_api_key, repo_id): request = self.http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), - headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) + headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) response = json.loads(request.data.decode("utf8")) while ('Message' in response or 'message' in response): if 'Message' in response and response['Message'] == UNAUTHORIZED_MESSAGE: @@ -152,7 +154,7 @@ def get_s3_role(self, bc_api_key, repo_id): if 'message' in response and "cannot be found" in response['message']: self.loading_output("creating role") request = self.http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), - headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) + headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) response = json.loads(request.data.decode("utf8")) repo_full_path = response["path"] @@ -165,13 +167,15 @@ def is_integration_configured(self): """ return self.platform_integration_configured - def persist_repository(self, root_dir, files=None, excluded_paths=[]): + def persist_repository(self, root_dir, files=None, excluded_paths=None): """ Persist the repository found on root_dir path to Bridgecrew's platform. If --file flag is used, only files that are specified will be persisted. :param files: Absolute path of the files passed in the --file flag. :param root_dir: Absolute path of the directory containing the repository root level. + :param excluded_paths: Paths to exclude from persist process """ + excluded_paths = excluded_paths if excluded_paths is not None else [] if not self.use_s3_integration: return @@ -222,36 +226,48 @@ def commit_repository(self, branch): :param branch: branch to be persisted Finalize the repository's scanning in bridgecrew's platform. """ - if not self.use_s3_integration: - return + try_num = 0 + while try_num < MAX_RETRIES: + if not self.use_s3_integration: + return - request = None - try: + request = None + response = None + try: - request = self.http.request("PUT", f"{self.integrations_api_url}?source={self.bc_source.name}", - body=json.dumps({"path": self.repo_path, "branch": branch, "to_branch": BC_TO_BRANCH, - "pr_id": BC_PR_ID, "pr_url": BC_PR_URL, - "commit_hash": BC_COMMIT_HASH, "commit_url": BC_COMMIT_URL, - "author": BC_AUTHOR_NAME, "author_url": BC_AUTHOR_URL, - "run_id": BC_RUN_ID, "run_url": BC_RUN_URL, - "repository_url": BC_REPOSITORY_URL}), - headers={"Authorization": self.bc_api_key, "Content-Type": "application/json", - 'x-api-client': self.bc_source.name, 'x-api-checkov-version': checkov_version - }) - response = json.loads(request.data.decode("utf8")) - url = response.get("url", None) - return url - except HTTPError as e: - logging.error(f"Failed to commit repository {self.repo_path}\n{e}") - raise e - except JSONDecodeError as e: - logging.error(f"Response of {self.integrations_api_url} is not a valid JSON\n{e}") - raise e - finally: - if request.status == 201 and response["result"] == "Success": - logging.info(f"Finalize repository {self.repo_id} in bridgecrew's platform") - else: - raise Exception(f"Failed to finalize repository {self.repo_id} in bridgecrew's platform\n{response}") + request = self.http.request("PUT", f"{self.integrations_api_url}?source={self.bc_source.name}", + body=json.dumps( + {"path": self.repo_path, "branch": branch, "to_branch": BC_TO_BRANCH, + "pr_id": BC_PR_ID, "pr_url": BC_PR_URL, + "commit_hash": BC_COMMIT_HASH, "commit_url": BC_COMMIT_URL, + "author": BC_AUTHOR_NAME, "author_url": BC_AUTHOR_URL, + "run_id": BC_RUN_ID, "run_url": BC_RUN_URL, + "repository_url": BC_REPOSITORY_URL}), + headers={"Authorization": self.bc_api_key, + "Content-Type": "application/json", + 'x-api-client': self.bc_source.name, + 'x-api-checkov-version': checkov_version + }) + response = json.loads(request.data.decode("utf8")) + url = response.get("url", None) + return url + except HTTPError as e: + logging.error(f"Failed to commit repository {self.repo_path}\n{e}") + raise e + except JSONDecodeError as e: + logging.error(f"Response of {self.integrations_api_url} is not a valid JSON\n{e}") + raise e + finally: + if request.status == 201 and response and response.get("result") == "Success": + logging.info(f"Finalize repository {self.repo_id} in bridgecrew's platform") + elif try_num < MAX_RETRIES and re.match('The integration ID .* in progress', + response.get('message', '')): + logging.info(f"Failed to persist for repo {self.repo_id}, sleeping for 2 seconds before retrying") + try_num += 1 + sleep(3) + else: + raise Exception( + f"Failed to finalize repository {self.repo_id} in bridgecrew's platform\n{response}") def _persist_file(self, full_file_path, relative_file_path): tries = 4 @@ -290,8 +306,8 @@ def get_ckv_to_bc_id_mapping(self) -> dict: self.get_checkov_mapping_metadata() return self.ckv_to_bc_id_mapping - def get_checkov_mapping_metadata(self) -> dict: - BC_SKIP_MAPPING = os.getenv("BC_SKIP_MAPPING","FALSE") + def get_checkov_mapping_metadata(self) -> Optional[dict]: + BC_SKIP_MAPPING = os.getenv("BC_SKIP_MAPPING", "FALSE") if BC_SKIP_MAPPING.upper() == "TRUE": logging.debug(f"Skipped mapping API call") self.ckv_to_bc_id_mapping = {} @@ -324,7 +340,7 @@ def onboarding(self): "\t" + u"\u25E6 " + "\tAutomated cloud resource checks\n" "\t" + u"\u25E6 " + "\tResource drift detection\n" "\n" - "\n" + "and much more...",'yellow') + + "\n" + "and much more...",'yellow') + colored("\n\nIt's easy and only takes 2 minutes. We can do it right now!\n\n" "To Level-up, press 'y'... \n", 'cyan') + Style.RESET_ALL) @@ -339,7 +355,7 @@ def onboarding(self): org = self._input_orgname() print(Style.BRIGHT + colored("\nAmazing!" "\nWe are now generating a personal API key to immediately enable some new features… ",'green', attrs=['bold'])) - + bc_api_token, response = self.get_api_token(email, org) self.bc_api_key = bc_api_token if response.status_code == 200: @@ -350,14 +366,14 @@ def onboarding(self): print(Style.BRIGHT + colored("Checkov Dashboard is configured, opening https://bridgecrew.cloud to explore your new powers.", 'green', attrs=['bold'])) print(Style.BRIGHT + colored("FYI - check your inbox for login details! \n", 'green')) - print(Style.BRIGHT + colored("Congratulations! You’ve just super-sized your Checkov! Why not test-drive image scanning now:",'cyan')) + print(Style.BRIGHT + colored("Congratulations! You’ve just super-sized your Checkov! Why not test-drive image scanning now:",'cyan')) print(Style.BRIGHT + colored("\ncheckov --docker-image ubuntu --dockerfile-path /Users/bob/workspaces/bridgecrew/Dockerfile --repo-id bob/test --branch master\n",'white')) - print(Style.BRIGHT + colored("Or download our VS Code plugin: https://github.com/bridgecrewio/checkov-vscode \n", 'cyan',attrs=['bold'])) + print(Style.BRIGHT + colored("Or download our VS Code plugin: https://github.com/bridgecrewio/checkov-vscode \n", 'cyan',attrs=['bold'])) + + print(Style.BRIGHT + colored( "Interested in contributing to Checkov as an open source developer. We thought you’d never ask. Check us out at: \nhttps://github.com/bridgecrewio/checkov/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 \n", 'white', attrs=['bold'])) - print(Style.BRIGHT + colored( "Interested in contributing to Checkov as an open source developer. We thought you’d never ask. Check us out at: \nhttps://github.com/bridgecrewio/checkov/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 \n", 'white', attrs=['bold'])) - else: print( Style.BRIGHT + colored("\nCould not create account, please try again on your next scan! \n", @@ -379,18 +395,18 @@ def get_report_to_platform(self, args, scan_reports): if self.is_integration_configured(): self._upload_run(args, scan_reports) -# Added this to generate a default repo_id for cli scans for upload to the platform -# whilst also persisting a cli repo_id into the object + # Added this to generate a default repo_id for cli scans for upload to the platform + # whilst also persisting a cli repo_id into the object def persist_bc_api_key(self, args): if args.bc_api_key: - self.bc_api_key=args.bc_api_key - else: + self.bc_api_key = args.bc_api_key + else: # get the key from file - self.bc_api_key=read_key() - return self.bc_api_key + self.bc_api_key = read_key() + return self.bc_api_key -# Added this to generate a default repo_id for cli scans for upload to the platform -# whilst also persisting a cli repo_id into the object + # Added this to generate a default repo_id for cli scans for upload to the platform + # whilst also persisting a cli repo_id into the object def persist_repo_id(self, args): if args.repo_id is None: if BC_FROM_BRANCH: @@ -402,10 +418,10 @@ def persist_repo_id(self, args): # Get the base path of the file based on it's absolute path basename = os.path.basename(os.path.dirname(os.path.abspath(args.file[0]))) self.repo_id = "cli_repo/" + basename - - else: - self.repo_id=args.repo_id - return self.repo_id + + else: + self.repo_id = args.repo_id + return self.repo_id def get_repository(self, args): if BC_FROM_BRANCH: @@ -449,7 +465,7 @@ def _create_bridgecrew_account(self, email, org): return response else: raise Exception("failed to create a bridgecrew account. An organization with this name might already " - "exist with this email address. Please login bridgecrew.cloud to retrieve access key"); + "exist with this email address. Please login bridgecrew.cloud to retrieve access key") def _input_orgname(self): valid = False @@ -484,6 +500,7 @@ def _input_levelup_results(self): def _input_email(self): valid_email = False + email = '' while not valid_email: email = str(input('E-Mail: ')).lower().strip() # nosec if re.search(EMAIL_PATTERN, email): diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py index 2125a80c09..1710a80092 100644 --- a/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py +++ b/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py @@ -22,5 +22,5 @@ def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bo except ValueError: pass if isinstance(att, dict): - return self.value in att or any(self.value in val for val in att.values()) + return self.value in att or any(self.value in val for val in att.values() if type(val) in [str, list, set, dict]) return self.value in att diff --git a/checkov/common/goget/github/get_git.py b/checkov/common/goget/github/get_git.py index be51741af9..e1e647b45b 100644 --- a/checkov/common/goget/github/get_git.py +++ b/checkov/common/goget/github/get_git.py @@ -33,22 +33,47 @@ def do_get(self): raise ImportError("Unable to load git module (is the git executable available?)") \ from git_import_error + git_url, internal_dir = self._source_subdir() + clone_dir = self.temp_dir + "/clone/" if self.create_clone_and_res_dirs else self.temp_dir - result_dir = self.temp_dir + "/result/" + self._clone(git_url, clone_dir) - if ".git//" in self.url: - git_url, internal_dir = self.url.split(".git//") - self._clone(git_url + ".git", clone_dir, result_dir, internal_dir) - else: - self._clone(self.url, clone_dir, result_dir) + if internal_dir: + clone_dir = clone_dir + internal_dir - return result_dir + if self.create_clone_and_res_dirs: + result_dir = self.temp_dir + "/result/" + shutil.copytree(clone_dir, result_dir) + return result_dir - def _clone(self, git_url, clone_dir, result_dir, internal_dir=''): + return clone_dir + + def _clone(self, git_url, clone_dir): self.logger.debug("cloning {} to {}".format(self.url, clone_dir)) if self.tag: Repo.clone_from(git_url, clone_dir, b=self.tag) else: Repo.clone_from(git_url, clone_dir) - if self.create_clone_and_res_dirs: - shutil.copytree(clone_dir + internal_dir, result_dir) + + # Split source url into Git url and subdirectory path e.g. test.com/repo//repo/subpath becomes 'test.com/repo', '/repo/subpath') + # Also see reference implementation @ go-getter https://github.com/hashicorp/go-getter/blob/main/source.go + def _source_subdir(self): + stop = len(self.url) + + query_index = self.url.find("?") + if query_index > -1: + stop = query_index + + start = 0 + scheme_index = self.url.find("://", start, stop) + if scheme_index > -1: + start = scheme_index + 3 + + subdir_index = self.url.find("//", start, stop) + if subdir_index == -1: + return (self.url, "") + + internal_dir = self.url[subdir_index + 1:stop] # Note: Internal dir is expected to start with / + git_url = self.url[:subdir_index] + self.url[stop:] + + return (git_url, internal_dir) diff --git a/checkov/common/graph/graph_builder/graph_components/edge.py b/checkov/common/graph/graph_builder/graph_components/edge.py index f07b2e1324..650d124c63 100644 --- a/checkov/common/graph/graph_builder/graph_components/edge.py +++ b/checkov/common/graph/graph_builder/graph_components/edge.py @@ -6,3 +6,12 @@ def __init__(self, origin: int, dest: int, label: str) -> None: def __str__(self) -> str: return f"[{self.origin} -({self.label})-> {self.dest}]" + + def __eq__(self, other) -> bool: + return isinstance(other, Edge) and str(self) == str(other) + + def __ne__(self, other) -> bool: + return not self.__eq__(other) + + def __hash__(self): + return hash(str(self)) \ No newline at end of file diff --git a/checkov/common/output/graph_record.py b/checkov/common/output/graph_record.py index ee5c36ba25..2661efa8e0 100644 --- a/checkov/common/output/graph_record.py +++ b/checkov/common/output/graph_record.py @@ -8,6 +8,6 @@ def __init__(self, record, breadcrumbs): super().__init__(record.check_id, record.check_name, record.check_result, record.code_block, record.file_path, record.file_line_range, record.resource, record.evaluations, record.check_class, record.file_abs_path, record.entity_tags, record.caller_file_path, - record.caller_file_line_range) + record.caller_file_line_range, bc_check_id=record.bc_check_id) self.fixed_definition = record.fixed_definition self.breadcrumbs = breadcrumbs diff --git a/checkov/common/util/docs_generator.py b/checkov/common/util/docs_generator.py index 69173f544b..3cc375ccba 100644 --- a/checkov/common/util/docs_generator.py +++ b/checkov/common/util/docs_generator.py @@ -1,21 +1,20 @@ #!/usr/bin/env python import re - from tabulate import tabulate from checkov.arm.registry import arm_resource_registry, arm_parameter_registry from checkov.cloudformation.checks.resource.registry import cfn_registry as cfn_registry from checkov.common.checks.base_check_registry import BaseCheckRegistry +from checkov.common.checks_infra.registry import BaseRegistry as BaseGraphRegistry, get_graph_checks_registry +from checkov.dockerfile.registry import registry as dockerfile_registry from checkov.kubernetes.registry import registry as k8_registry +from checkov.secrets.runner import CHECK_ID_TO_SECRET_TYPE from checkov.serverless.registry import sls_registry -from checkov.dockerfile.registry import registry as dockerfile_registry - from checkov.terraform.checks.data.registry import data_registry from checkov.terraform.checks.module.registry import module_registry from checkov.terraform.checks.provider.registry import provider_registry from checkov.terraform.checks.resource.registry import resource_registry -from checkov.common.checks_infra.registry import BaseRegistry as BaseGraphRegistry, get_graph_checks_registry ID_PARTS_PATTERN = re.compile(r'([^_]*)_([^_]*)_(\d+)') @@ -72,6 +71,9 @@ def add_from_repository(registry, checked_type: str, iac: str): if framework == "arm" or framework == "all": add_from_repository(arm_resource_registry, "resource", "arm") add_from_repository(arm_parameter_registry, "parameter", "arm") + if framework == "secrets" or framework == "all": + for check_id, check_type in CHECK_ID_TO_SECRET_TYPE.items(): + printable_checks_list.append((check_id, check_type, "secrets", check_type, check_type, "secrets")) return sorted(printable_checks_list, key=get_compare_key) diff --git a/checkov/kubernetes/runner.py b/checkov/kubernetes/runner.py index a4241552fa..51334e18c2 100644 --- a/checkov/kubernetes/runner.py +++ b/checkov/kubernetes/runner.py @@ -49,9 +49,13 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R for file in files_list: relative_file_path = f'/{os.path.relpath(file, os.path.commonprefix((root_folder, file)))}' - parse_result = parse(file) - if parse_result: - (definitions[relative_file_path], definitions_raw[relative_file_path]) = parse_result + try: + parse_result = parse(file) + if parse_result: + (definitions[relative_file_path], definitions_raw[relative_file_path]) = parse_result + except (TypeError, ValueError) as e: + logging.warning(f"Kubernetes skipping {file} as it is not a valid Kubernetes template\n{e}") + continue for k8_file in definitions.keys(): @@ -73,25 +77,27 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R logging.debug("Template Dump for {}: {}".format(k8_file, definitions[k8_file][i], indent=2)) entity_conf = definitions[k8_file][i] + if entity_conf is None: + continue # Split out resources if entity kind is List - if entity_conf["kind"] == "List": + if isinstance(entity_conf, dict) and entity_conf["kind"] == "List": for item in entity_conf.get("items", []): definitions[k8_file].append(item) for i in range(len(definitions[k8_file])): - if (not 'apiVersion' in definitions[k8_file][i].keys()) and (not 'kind' in definitions[k8_file][i].keys()): + if _is_invalid_k8_definition(definitions[k8_file][i]): continue logging.debug("Template Dump for {}: {}".format(k8_file, definitions[k8_file][i], indent=2)) entity_conf = definitions[k8_file][i] - if entity_conf["kind"] == "List": + if isinstance(entity_conf, dict) and entity_conf.get("kind") == "List": continue # Skip entity without metadata["name"] - if entity_conf.get("metadata"): - if isinstance(entity_conf["metadata"], int) or not "name" in entity_conf["metadata"]: + if isinstance(entity_conf, dict) and entity_conf.get("metadata"): + if isinstance(entity_conf["metadata"], int) or "name" not in entity_conf["metadata"]: continue else: continue @@ -131,16 +137,17 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R # Run for each definition included added container definitions for i in range(len(definitions[k8_file])): - if (not 'apiVersion' in definitions[k8_file][i].keys()) and (not 'kind' in definitions[k8_file][i].keys()): + if _is_invalid_k8_definition(definitions[k8_file][i]): continue logging.debug("Template Dump for {}: {}".format(k8_file, definitions[k8_file][i], indent=2)) entity_conf = definitions[k8_file][i] - - if entity_conf["kind"] == "List" or not entity_conf.get("kind"): + if entity_conf is None: + continue + if isinstance(entity_conf, dict) and (entity_conf["kind"] == "List" or not entity_conf.get("kind")): continue - if isinstance(entity_conf["kind"], int): + if isinstance(entity_conf, dict) and isinstance(entity_conf.get("kind"), int): continue # Skip entity without metadata["name"] or parent_metadata["name"] if not any(x in entity_conf["kind"] for x in ["containers", "initContainers"]): @@ -284,3 +291,6 @@ def find_lines(node, kv): yield x +def _is_invalid_k8_definition(definition: dict) -> bool: + return isinstance(definition, dict) and 'apiVersion' not in definition.keys() and 'kind' not in \ + definition.keys() diff --git a/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml b/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml index 6ec537ab39..335e419f7d 100644 --- a/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml +++ b/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml @@ -9,18 +9,18 @@ definition: value: - aws_db_instance operator: within + - cond_type: filter + resource_types: + - aws_db_instance + attribute: engine + operator: within + value: "postgres" - cond_type: connection resource_types: - aws_db_instance connected_resource_types: - aws_rds_cluster_parameter_group operator: exists - - cond_type: attribute - resource_types: - - aws_db_instance - attribute: "engine" - operator: contains - value: "postgres" - cond_type: attribute resource_types: - aws_rds_cluster_parameter_group diff --git a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml index 318d17a427..c7477d881a 100644 --- a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml +++ b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml @@ -14,6 +14,7 @@ definition: connected_resource_types: - aws_alb - aws_batch_compute_environment + - aws_cloudwatch_event_target - aws_codebuild_project - aws_db_instance - aws_dms_replication_instance @@ -43,4 +44,4 @@ definition: - aws_vpc_endpoint operator: exists attribute: networking - cond_type: connection \ No newline at end of file + cond_type: connection diff --git a/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml b/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml index 25649f8ec1..c9ef7522b7 100644 --- a/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml +++ b/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml @@ -31,7 +31,7 @@ definition: - azurerm_monitor_activity_log_alert attribute: enabled operator: equals - value: 'true' + value: true - cond_type: connection resource_types: - azurerm_storage_container diff --git a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py index b3a9f84212..995a495277 100644 --- a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py +++ b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py @@ -16,11 +16,13 @@ def scan_resource_conf(self, conf): return CheckResult.UNKNOWN artifact = conf['artifacts'][0] if isinstance(artifact, dict): - if artifact['type'] == "NO_ARTIFACTS": + if artifact['type'] == ["NO_ARTIFACTS"]: self.evaluated_keys = 'artifacts/[0]/type' - elif 'encryption_disabled' in artifact and artifact['encryption_disabled']: - self.evaluated_keys = 'artifacts/[0]/encryption_disabled' - return CheckResult.FAILED + return CheckResult.UNKNOWN + if 'encryption_disabled' in artifact: + if artifact['encryption_disabled'] == [True]: + self.evaluated_keys = 'artifacts/[0]/encryption_disabled' + return CheckResult.FAILED return CheckResult.PASSED diff --git a/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py b/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..fa5160a4b0 --- /dev/null +++ b/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py @@ -0,0 +1,25 @@ +from typing import Dict, List, Any + +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class QLDBLedgerDeletionProtection(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure QLDB ledger has deletion protection enabled" + id = "CKV_AWS_172" + supported_resources = ["aws_qldb_ledger"] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: + # deletion protection is enabled on default + if "deletion_protection" not in conf: + return CheckResult.PASSED + return super().scan_resource_conf(conf) + + def get_inspected_key(self) -> str: + return "deletion_protection" + + +check = QLDBLedgerDeletionProtection() diff --git a/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py b/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py new file mode 100644 index 0000000000..6841a058fc --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py @@ -0,0 +1,25 @@ +from typing import Dict, List, Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.type_forcers import force_list +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck + + +class AzureServiceFabricClusterProtectionLevel(BaseResourceCheck): + def __init__(self): + name = "Ensures that Service Fabric use three levels of protection available" + id = "CKV_AZURE_125" + supported_resources = ['azurerm_service_fabric_cluster'] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: + for setting in force_list(conf.get('fabric_settings')): + if setting and setting.get('name') == ['Security']: + params = setting.get('parameters', [{}])[0] + if params.get('name') == 'ClusterProtectionLevel' and params.get('value') == 'EncryptAndSign': + return CheckResult.PASSED + return CheckResult.FAILED + + +check = AzureServiceFabricClusterProtectionLevel() diff --git a/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterUseADAuth.py b/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterUseADAuth.py deleted file mode 100644 index 54303ee62d..0000000000 --- a/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterUseADAuth.py +++ /dev/null @@ -1,21 +0,0 @@ -from checkov.common.models.enums import CheckCategories -from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck -from checkov.common.models.consts import ANY_VALUE - - -class AzureServiceFabricClusterUseADAuth(BaseResourceValueCheck): - def __init__(self): - name = "Ensures that Active Directory is used for authentication for Service Fabric" - id = "CKV_AZURE_125" - supported_resources = ['azurerm_service_fabric_cluster'] - categories = [CheckCategories.ENCRYPTION] - super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - - def get_inspected_key(self): - return 'azure_active_directory/[0]/tenant_id' - - def get_expected_value(self): - return ANY_VALUE - - -check = AzureServiceFabricClusterUseADAuth() diff --git a/checkov/terraform/graph_builder/local_graph.py b/checkov/terraform/graph_builder/local_graph.py index 5425c7c784..7812e50645 100644 --- a/checkov/terraform/graph_builder/local_graph.py +++ b/checkov/terraform/graph_builder/local_graph.py @@ -1,5 +1,6 @@ import logging import os +from collections import defaultdict from copy import deepcopy from pathlib import Path from typing import List, Optional, Union, Any, Dict, Set, Callable @@ -41,18 +42,20 @@ def __init__(self, module: Module, module_dependency_map: Dict[str, List[List[st self.module_dependency_map = module_dependency_map self.map_path_to_module: Dict[str, List[int]] = {} self.relative_paths_cache = {} + self.abspath_cache: Dict[str, str] = {} + self.dirname_cache: Dict[str, str] = {} + self.vertices_by_module_dependency_by_name: Dict[str, Dict[BlockType, Dict[str, List[int]]]] = defaultdict(lambda: defaultdict(lambda: defaultdict(list))) + self.vertices_by_module_dependency: Dict[str, Dict[BlockType, List[int]]] = defaultdict(lambda: defaultdict(list)) def build_graph(self, render_variables: bool) -> None: self._create_vertices() - undetermined_values = self._set_variables_values_from_modules() self._build_edges() self.calculate_encryption_attribute() if render_variables: - logging.info("Rendering variables") + logging.info(f"Rendering variables, graph has {len(self.vertices)} vertices and {len(self.edges)} edges") renderer = VariableRenderer(self) renderer.render_variables_from_local_graph() self.update_vertices_breadcrumbs_and_module_connections() - self.process_undetermined_values(undetermined_values) def _create_vertices(self) -> None: logging.info("Creating vertices") @@ -67,6 +70,9 @@ def _create_vertices(self) -> None: # map between file paths and module vertices indexes from that file self.map_path_to_module.setdefault(block.path, []).append(i) + self.vertices_by_module_dependency[block.module_dependency][block.block_type].append(i) + self.vertices_by_module_dependency_by_name[block.module_dependency][block.block_type][block.name].append(i) + self.in_edges[i] = [] self.out_edges[i] = [] @@ -148,14 +154,14 @@ def get_module_vertices_mapping(self) -> None: module_list = self.map_path_to_module.get(path_to_module_str, []) for module_index in module_list: module_vertex = self.vertices[module_index] - module_vertex_dir = os.path.dirname(module_vertex.path) + module_vertex_dir = self.get_dirname(module_vertex.path) module_source = module_vertex.attributes.get("source", [""])[0] if self._get_dest_module_path(module_vertex_dir, module_source) == dir_name: block_dirs_to_modules.setdefault(dir_name, set()).add(module_index) for vertex in self.vertices: # match the right module vertex according to the vertex path directory - module_indices = block_dirs_to_modules.get(os.path.dirname(vertex.path), set()) + module_indices = block_dirs_to_modules.get(self.get_dirname(vertex.path), set()) if module_indices: vertex.source_module = module_indices @@ -211,13 +217,9 @@ def _build_edges(self) -> None: target_path = vertex.path if vertex.module_dependency != "": target_path = unify_dependency_path([vertex.module_dependency, vertex.path]) - dest_module_path = self._get_dest_module_path(os.path.dirname(vertex.path), vertex.attributes['source'][0]) - target_variables = [ - index - for index in self.vertices_by_block_type.get(BlockType.VARIABLE, []) - if self.vertices[index].module_dependency == target_path - and os.path.dirname(self.vertices[index].path) == dest_module_path - ] + dest_module_path = self._get_dest_module_path(self.get_dirname(vertex.path), vertex.attributes['source'][0]) + target_variables = list(filter(lambda index: self.get_dirname(self.vertices[index].path) == dest_module_path, + self.vertices_by_module_dependency.get(target_path, {}).get(BlockType.VARIABLE, []))) for attribute, value in vertex.attributes.items(): if attribute in MODULE_RESERVED_ATTRIBUTES: continue @@ -226,11 +228,9 @@ def _build_edges(self) -> None: self._create_edge(target_variable, origin_node_index, "default") elif vertex.block_type == BlockType.TF_VARIABLE: # Assuming the tfvars file is in the same directory as the variables file (best practice) - target_variables = [ - index - for index in self.vertices_block_name_map.get(BlockType.VARIABLE, {}).get(vertex.name, []) - if os.path.dirname(self.vertices[index].path) == os.path.dirname(vertex.path) - ] + target_variables = list( + filter(lambda index: self.get_dirname(self.vertices[index].path) == self.get_dirname(vertex.path), + self.vertices_block_name_map.get(BlockType.VARIABLE, {}).get(vertex.name, []))) if len(target_variables) == 1: self._create_edge(target_variables[0], origin_node_index, "default") @@ -255,7 +255,7 @@ def _connect_module( The function receives a node of a block of type BlockType.Module, and finds all the nodes of blocks that belong to this module, and creates edges between them. """ - curr_module_dir = os.path.dirname(module_node.path) + curr_module_dir = self.get_dirname(module_node.path) dest_module_source = module_node.attributes["source"][0] dest_module_path = self._get_dest_module_path(curr_module_dir, dest_module_source) @@ -266,10 +266,10 @@ def _connect_module( ) for vertex_index in output_blocks_with_name: vertex = self.vertices[vertex_index] - if (os.path.dirname(vertex.path) == dest_module_path) and ( + if (self.get_dirname(vertex.path) == dest_module_path) and ( vertex.module_dependency == module_node.module_dependency # The vertex is in the same file - or os.path.abspath(vertex.module_dependency) - == os.path.abspath(module_node.path) # The vertex is in the correct dependency path + or self.get_abspath(vertex.module_dependency) + == self.get_abspath(module_node.path) # The vertex is in the correct dependency path ): self._create_edge(origin_node_index, vertex_index, attribute_key) self.vertices[origin_node_index].add_module_connection(attribute_key, vertex_index) @@ -301,15 +301,17 @@ def _find_vertex_index_relative_to_path( self, block_type: BlockType, name: str, block_path: str, module_path: str ) -> int: relative_vertices = [] - possible_vertices = self.vertices_block_name_map.get(block_type, {}).get(name, []) + possible_vertices = self.vertices_by_module_dependency_by_name.get(module_path, {}).get(block_type, {}).get(name, []) for vertex_index in possible_vertices: vertex = self.vertices[vertex_index] - if vertex.module_dependency == module_path and os.path.dirname(vertex.path) == os.path.dirname(block_path): + if self.get_dirname(vertex.path) == self.get_dirname(block_path): relative_vertices.append(vertex_index) if len(relative_vertices) == 1: - return relative_vertices[0] - return self._find_vertex_with_longest_path_match(relative_vertices, block_path) + relative_vertex = relative_vertices[0] + else: + relative_vertex = self._find_vertex_with_longest_path_match(relative_vertices, block_path) + return relative_vertex def _find_vertex_with_longest_path_match(self, relevant_vertices_indexes: List[int], origin_path: str) -> int: vertex_index_with_longest_common_prefix = -1 @@ -473,3 +475,17 @@ def calculate_encryption_attribute(self) -> None: EncryptionValues.ENCRYPTED.value if is_encrypted else EncryptionValues.UNENCRYPTED.value ) vertex.attributes[CustomAttributes.ENCRYPTION_DETAILS] = reason + + def get_dirname(self, path: str) -> str: + dir_name = self.dirname_cache.get(path) + if not dir_name: + dir_name = os.path.dirname(path) + self.dirname_cache[path] = dir_name + return dir_name + + def get_abspath(self, path: str) -> str: + dir_name = self.abspath_cache.get(path) + if not dir_name: + dir_name = os.path.abspath(path) + self.abspath_cache[path] = dir_name + return dir_name diff --git a/checkov/terraform/module_loading/loaders/git_loader.py b/checkov/terraform/module_loading/loaders/git_loader.py index 851bec7742..e8c7b1646b 100644 --- a/checkov/terraform/module_loading/loaders/git_loader.py +++ b/checkov/terraform/module_loading/loaders/git_loader.py @@ -16,8 +16,7 @@ def _load_module(self) -> ModuleContent: module_source = self.module_source.replace('git::', '') git_getter = GitGetter(module_source, create_clone_and_result_dirs=False) git_getter.temp_dir = self.dest_dir - git_getter.do_get() - return_dir = self.dest_dir + return_dir = git_getter.do_get() if self.inner_module: return_dir = os.path.join(self.dest_dir, self.inner_module) return ModuleContent(dir=return_dir) diff --git a/checkov/terraform/variable_rendering/renderer.py b/checkov/terraform/variable_rendering/renderer.py index 17ff311ad3..f68c5f55f2 100644 --- a/checkov/terraform/variable_rendering/renderer.py +++ b/checkov/terraform/variable_rendering/renderer.py @@ -27,7 +27,7 @@ class VariableRenderer: def __init__(self, local_graph: "TerraformLocalGraph") -> None: self.local_graph = local_graph - run_async = os.environ.get("RENDER_VARIABLES_ASYNC", "True") + run_async = os.environ.get("RENDER_VARIABLES_ASYNC", "False") self.run_async = True if run_async == "True" else False self.max_workers = int(os.environ.get("RENDER_ASYNC_MAX_WORKERS", 50)) self.done_edges_by_origin_vertex: Dict[int, List[Edge]] = {} @@ -87,6 +87,7 @@ def render_variables_from_local_graph(self) -> None: self.local_graph.update_vertices_configs() logging.info("done evaluating edges") self.evaluate_non_rendered_values() + logging.info("done evaluate_non_rendered_values") def _edge_evaluation_task(self, edges: List[List[Edge]]) -> List[Edge]: inner_edges = edges[0] diff --git a/checkov/version.py b/checkov/version.py index fa18a3d8d1..9b3583523b 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.336' +version = '2.0.363' diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 114ce52802..18755ddb7f 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -6,1177 +6,1197 @@ nav_order: 1 # all resource scans (auto generated) -| | Id | Type | Entity | Policy | IaC | -|------|---------------|------------|------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 1 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | -| 2 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | -| 3 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 4 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | -| 5 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | -| 7 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 8 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | -| 9 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 10 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | -| 11 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 12 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | -| 13 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | -| 14 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 15 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | -| 16 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | -| 17 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | -| 18 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | -| 19 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | -| 20 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | -| 21 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | -| 22 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | -| 23 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 24 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 25 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 26 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 27 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | -| 28 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 29 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | -| 30 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 31 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | -| 32 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 33 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | -| 34 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 35 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | -| 36 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | -| 37 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | -| 38 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | -| 39 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | -| 40 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | -| 41 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 42 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 43 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 44 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 45 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 46 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 47 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 48 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 49 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 50 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 51 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 52 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | -| 53 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 54 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | -| 55 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 56 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | -| 57 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 58 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | -| 59 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 60 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | -| 61 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 62 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | -| 63 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 64 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | -| 65 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 66 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | -| 67 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 68 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | -| 69 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 70 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | -| 71 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 72 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | -| 73 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 74 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | -| 75 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | -| 76 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | -| 77 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 78 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 79 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 80 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 81 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | -| 82 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | -| 83 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | -| 84 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 85 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | -| 86 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 87 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | -| 88 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 89 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | -| 90 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 91 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | -| 92 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 93 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | -| 94 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 95 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | -| 96 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 97 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | -| 98 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | -| 99 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | -| 100 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 101 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | -| 102 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 103 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | -| 104 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 105 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | -| 106 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 107 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | -| 108 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 109 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | -| 110 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 111 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | -| 112 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 113 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | -| 114 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 115 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | -| 116 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 117 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | -| 118 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 119 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 120 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 121 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 122 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 123 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 124 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 125 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 126 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 127 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | -| 128 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 129 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | -| 130 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 131 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | -| 132 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 133 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | -| 134 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 135 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | -| 136 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 137 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | -| 138 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 139 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 140 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 141 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | -| 142 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 143 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | -| 144 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | -| 145 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 146 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | -| 147 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 148 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | -| 149 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 150 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 151 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 152 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | -| 153 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | -| 154 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 155 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 156 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 157 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 158 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | -| 159 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | -| 160 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | -| 161 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 162 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | -| 163 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 164 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | -| 165 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 166 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | -| 167 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 168 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | -| 169 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 170 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | -| 171 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 172 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | -| 173 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | -| 174 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 175 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 176 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | -| 177 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 178 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | -| 179 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 180 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 181 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 182 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 183 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | -| 184 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 185 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 186 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 187 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | -| 188 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 189 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 190 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | -| 191 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 192 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | -| 193 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 194 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | -| 195 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | -| 196 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 197 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Terraform | -| 198 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 199 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | -| 200 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 201 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | -| 202 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | -| 203 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | -| 204 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 205 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | -| 206 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 207 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | -| 208 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | -| 209 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 210 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 211 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 212 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 213 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 214 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | -| 215 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 216 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 217 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 218 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 219 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 220 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | -| 221 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 222 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 223 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 224 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 225 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 226 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | -| 227 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 228 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 229 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 230 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 231 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 232 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | -| 233 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 234 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 235 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 236 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 237 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 238 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | -| 239 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | -| 240 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | -| 241 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | -| 242 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | -| 243 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | -| 244 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 245 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 246 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using KMS | Terraform | -| 247 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | -| 248 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 249 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | -| 250 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | -| 251 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | -| 252 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 253 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | -| 254 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | -| 255 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | -| 256 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | -| 257 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | -| 258 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | -| 259 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | -| 260 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | -| 261 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 262 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | -| 263 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | -| 264 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | -| 265 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | -| 266 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 267 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | -| 268 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | -| 269 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | -| 270 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | -| 271 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | -| 272 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | -| 273 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | -| 274 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | -| 275 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | -| 276 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | -| 277 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | -| 278 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | -| 279 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS | Terraform | -| 280 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 281 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 282 | CKV_AWS_151 | resource | aws_eks_cluster | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | Terraform | -| 283 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 284 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 285 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | -| 286 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | -| 287 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 288 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | -| 289 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 290 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | -| 291 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 292 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | -| 293 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 294 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | -| 295 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 296 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | -| 297 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | -| 298 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 299 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | -| 300 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 301 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | -| 302 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 303 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | -| 304 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 305 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | -| 306 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 307 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | -| 308 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 309 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | -| 310 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 311 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | -| 312 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | -| 313 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | -| 314 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | -| 315 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 317 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 318 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 321 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 322 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 323 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 324 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 325 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 326 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 327 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 328 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 329 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 330 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | -| 331 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | -| 332 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | -| 333 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 334 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 335 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 336 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 337 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 338 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 339 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 340 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 341 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 342 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 343 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 344 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 345 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 346 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 347 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 348 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | -| 349 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | -| 350 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 351 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 352 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 354 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 355 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 356 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 357 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 358 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | -| 359 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | -| 360 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | -| 361 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | -| 362 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | -| 363 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | -| 364 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | -| 365 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | -| 366 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | -| 367 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | -| 368 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | -| 369 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | -| 370 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | -| 371 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | -| 372 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | -| 373 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | -| 374 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | -| 375 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | -| 376 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | -| 377 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | -| 378 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | -| 379 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | -| 380 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | -| 381 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 382 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 383 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 384 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 385 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | -| 386 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | -| 387 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 388 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 389 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 390 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 391 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | -| 392 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | -| 393 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | -| 394 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | -| 395 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | -| 396 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | -| 397 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | -| 398 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | -| 399 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | -| 400 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | -| 401 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | -| 402 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | -| 403 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | -| 404 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | -| 405 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | -| 406 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | -| 407 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | -| 408 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 409 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 410 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 411 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 412 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 413 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 414 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | -| 415 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 416 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 417 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | -| 418 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | -| 419 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | -| 420 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | -| 421 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | -| 422 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | -| 423 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | -| 424 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | -| 425 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | -| 426 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | -| 427 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | -| 428 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 429 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 430 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 431 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 432 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 433 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 434 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 435 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 436 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 437 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | -| 438 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | -| 439 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | -| 440 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 441 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 442 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 443 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 444 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 445 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | -| 446 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 447 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 448 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | -| 449 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | -| 450 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | -| 451 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | -| 452 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | -| 453 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | -| 454 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | -| 455 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | -| 456 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | -| 457 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | -| 458 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | -| 459 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | -| 460 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | -| 461 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | -| 462 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | -| 463 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | -| 464 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | -| 465 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | -| 466 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | -| 467 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 468 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 469 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | -| 470 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | -| 471 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | -| 472 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | -| 473 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | -| 474 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | -| 475 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | -| 476 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | -| 477 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | -| 478 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | -| 479 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | -| 480 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | -| 481 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | -| 482 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | -| 483 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | -| 484 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 485 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | -| 486 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | -| 487 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | -| 488 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | -| 489 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | -| 490 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | -| 491 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | -| 492 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | -| 493 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | -| 494 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | -| 495 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | -| 496 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | -| 497 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | -| 498 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | -| 499 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | -| 500 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | -| 501 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | -| 502 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | -| 503 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | -| 504 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | -| 505 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | -| 506 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | -| 507 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | -| 508 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | -| 509 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | -| 510 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | -| 511 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | -| 512 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | -| 513 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 514 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 515 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | -| 516 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | -| 517 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | -| 518 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | -| 519 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 520 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 521 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | -| 522 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | -| 523 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | -| 524 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | -| 525 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | -| 526 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | -| 527 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | -| 528 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | -| 529 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | -| 530 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | -| 531 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | -| 532 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | -| 533 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | -| 534 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | -| 535 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | -| 536 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | -| 537 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | -| 538 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | -| 539 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | -| 540 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | -| 541 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | -| 542 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | -| 543 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | -| 544 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | -| 545 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | -| 546 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | -| 547 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 548 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 549 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 550 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | -| 551 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | -| 552 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | -| 553 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | -| 554 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | -| 555 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | -| 556 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 569 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 571 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 572 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 573 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | -| 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 579 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 580 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 581 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 590 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 591 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 594 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | -| 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | -| 598 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | -| 599 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | -| 600 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | -| 601 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | -| 602 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | -| 603 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | -| 604 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 605 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | -| 606 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | -| 607 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | -| 608 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | -| 609 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | -| 610 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 611 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | -| 612 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | -| 613 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | -| 614 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | -| 615 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | -| 616 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | -| 617 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | -| 618 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | -| 619 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | -| 620 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | -| 621 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | -| 622 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | -| 623 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | -| 624 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | -| 625 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | -| 626 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | -| 627 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | -| 628 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | -| 629 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | -| 630 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 631 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 632 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | -| 633 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | -| 634 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 635 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 636 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | -| 637 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 638 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 639 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 640 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 641 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 642 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 643 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | -| 644 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 645 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 646 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | -| 647 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | -| 648 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 649 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 650 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 651 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 652 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | -| 653 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | -| 654 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | -| 655 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | -| 656 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | -| 657 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | -| 658 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 659 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 660 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | -| 661 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | -| 662 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | -| 663 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | -| 664 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | -| 665 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | -| 666 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | -| 667 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | -| 668 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | -| 669 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | -| 670 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | -| 671 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | -| 672 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | -| 673 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | -| 674 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | -| 675 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | -| 676 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | -| 677 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | -| 678 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 679 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 680 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | -| 681 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | -| 682 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | -| 683 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | -| 684 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | -| 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 688 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 951 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 955 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 960 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | -| 962 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | -| 963 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | -| 964 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | -| 965 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | -| 966 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 967 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | -| 968 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | -| 969 | CKV_K8S_8 | resource | containers | Liveness Probe Should be Configured | Kubernetes | -| 970 | CKV_K8S_9 | resource | containers | Readiness Probe Should be Configured | Kubernetes | -| 971 | CKV_K8S_10 | resource | containers | CPU requests should be set | Kubernetes | -| 972 | CKV_K8S_10 | resource | initContainers | CPU requests should be set | Kubernetes | -| 973 | CKV_K8S_11 | resource | containers | CPU limits should be set | Kubernetes | -| 974 | CKV_K8S_11 | resource | initContainers | CPU limits should be set | Kubernetes | -| 975 | CKV_K8S_12 | resource | containers | Memory requests should be set | Kubernetes | -| 976 | CKV_K8S_12 | resource | initContainers | Memory requests should be set | Kubernetes | -| 977 | CKV_K8S_13 | resource | containers | Memory limits should be set | Kubernetes | -| 978 | CKV_K8S_13 | resource | initContainers | Memory limits should be set | Kubernetes | -| 979 | CKV_K8S_14 | resource | containers | Image Tag should be fixed - not latest or blank | Kubernetes | -| 980 | CKV_K8S_14 | resource | initContainers | Image Tag should be fixed - not latest or blank | Kubernetes | -| 981 | CKV_K8S_15 | resource | containers | Image Pull Policy should be Always | Kubernetes | -| 982 | CKV_K8S_15 | resource | initContainers | Image Pull Policy should be Always | Kubernetes | -| 983 | CKV_K8S_16 | resource | containers | Container should not be privileged | Kubernetes | -| 984 | CKV_K8S_16 | resource | initContainers | Container should not be privileged | Kubernetes | -| 985 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | -| 986 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | -| 987 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | -| 988 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | -| 989 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | -| 990 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | -| 991 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | -| 992 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | -| 993 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | -| 994 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | -| 995 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | -| 996 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | -| 997 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | -| 998 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | -| 999 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | -| 1000 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | -| 1001 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | -| 1002 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | -| 1003 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | -| 1004 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | -| 1005 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | -| 1006 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | -| 1007 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | -| 1008 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | -| 1009 | CKV_K8S_20 | resource | containers | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1010 | CKV_K8S_20 | resource | initContainers | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1011 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | -| 1012 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | -| 1013 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | -| 1014 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | -| 1015 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | -| 1016 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | -| 1017 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | -| 1018 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | -| 1019 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | -| 1020 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | -| 1021 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | -| 1022 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | -| 1023 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | -| 1024 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | -| 1025 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | -| 1026 | CKV_K8S_22 | resource | containers | Use read-only filesystem for containers where possible | Kubernetes | -| 1027 | CKV_K8S_22 | resource | initContainers | Use read-only filesystem for containers where possible | Kubernetes | -| 1028 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | -| 1029 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | -| 1030 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | -| 1031 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | -| 1032 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | -| 1033 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | -| 1034 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | -| 1035 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | -| 1036 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | -| 1037 | CKV_K8S_25 | resource | containers | Minimize the admission of containers with added capability | Kubernetes | -| 1038 | CKV_K8S_25 | resource | initContainers | Minimize the admission of containers with added capability | Kubernetes | -| 1039 | CKV_K8S_26 | resource | containers | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1040 | CKV_K8S_26 | resource | initContainers | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1041 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | -| 1042 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | -| 1043 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1044 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1045 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1046 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | -| 1047 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | -| 1048 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | -| 1049 | CKV_K8S_28 | resource | containers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1050 | CKV_K8S_28 | resource | initContainers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1051 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | -| 1052 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | -| 1053 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | -| 1054 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | -| 1055 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | -| 1056 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | -| 1057 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | -| 1058 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | -| 1059 | CKV_K8S_30 | resource | containers | Apply security context to your pods and containers | Kubernetes | -| 1060 | CKV_K8S_30 | resource | initContainers | Apply security context to your pods and containers | Kubernetes | -| 1061 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1062 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1063 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1064 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1065 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1066 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1067 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1068 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1069 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | -| 1070 | CKV_K8S_33 | resource | containers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1071 | CKV_K8S_33 | resource | initContainers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1072 | CKV_K8S_34 | resource | containers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1073 | CKV_K8S_34 | resource | initContainers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1074 | CKV_K8S_35 | resource | containers | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1075 | CKV_K8S_35 | resource | initContainers | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1076 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1077 | CKV_K8S_37 | resource | containers | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1078 | CKV_K8S_37 | resource | initContainers | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1079 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1080 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1081 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1082 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1083 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1084 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1085 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1086 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1087 | CKV_K8S_39 | resource | containers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1088 | CKV_K8S_39 | resource | initContainers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1089 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1090 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1091 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1092 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1093 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1094 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1095 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1096 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1097 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | -| 1098 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1099 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1100 | CKV_K8S_43 | resource | containers | Image should use digest | Kubernetes | -| 1101 | CKV_K8S_43 | resource | initContainers | Image should use digest | Kubernetes | -| 1102 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | -| 1103 | CKV_K8S_45 | resource | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1104 | CKV_K8S_45 | resource | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1105 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1106 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1107 | CKV_K8S_68 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1108 | CKV_K8S_69 | resource | containers | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1109 | CKV_K8S_70 | resource | containers | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1110 | CKV_K8S_71 | resource | containers | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1111 | CKV_K8S_72 | resource | containers | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1112 | CKV_K8S_73 | resource | containers | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1113 | CKV_K8S_74 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1114 | CKV_K8S_75 | resource | containers | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1115 | CKV_K8S_77 | resource | containers | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1116 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | -| 1117 | CKV_K8S_79 | resource | containers | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1118 | CKV_K8S_80 | resource | containers | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1119 | CKV_K8S_81 | resource | containers | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1120 | CKV_K8S_82 | resource | containers | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1121 | CKV_K8S_83 | resource | containers | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1122 | CKV_K8S_84 | resource | containers | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1123 | CKV_K8S_85 | resource | containers | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1124 | CKV_K8S_86 | resource | containers | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1125 | CKV_K8S_88 | resource | containers | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1126 | CKV_K8S_89 | resource | containers | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1127 | CKV_K8S_90 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1128 | CKV_K8S_91 | resource | containers | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1129 | CKV_K8S_92 | resource | containers | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1130 | CKV_K8S_93 | resource | containers | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1131 | CKV_K8S_94 | resource | containers | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1132 | CKV_K8S_95 | resource | containers | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1133 | CKV_K8S_96 | resource | containers | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1134 | CKV_K8S_97 | resource | containers | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1135 | CKV_K8S_99 | resource | containers | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1136 | CKV_K8S_100 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1137 | CKV_K8S_102 | resource | containers | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1138 | CKV_K8S_104 | resource | containers | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1139 | CKV_K8S_105 | resource | containers | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1140 | CKV_K8S_106 | resource | containers | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1141 | CKV_K8S_107 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1142 | CKV_K8S_108 | resource | containers | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1143 | CKV_K8S_110 | resource | containers | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1144 | CKV_K8S_111 | resource | containers | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1145 | CKV_K8S_112 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1146 | CKV_K8S_113 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1147 | CKV_K8S_114 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1148 | CKV_K8S_115 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1149 | CKV_K8S_116 | resource | containers | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1150 | CKV_K8S_117 | resource | containers | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1151 | CKV_K8S_118 | resource | containers | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1152 | CKV_K8S_119 | resource | containers | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1153 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | -| 1154 | CKV_K8S_138 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1155 | CKV_K8S_139 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1156 | CKV_K8S_140 | resource | containers | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1157 | CKV_K8S_141 | resource | containers | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1158 | CKV_K8S_143 | resource | containers | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1159 | CKV_K8S_144 | resource | containers | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1160 | CKV_K8S_145 | resource | containers | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1161 | CKV_K8S_146 | resource | containers | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1162 | CKV_K8S_147 | resource | containers | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1163 | CKV_K8S_148 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1164 | CKV_K8S_149 | resource | containers | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1165 | CKV_K8S_150 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1166 | CKV_K8S_151 | resource | containers | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1167 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | -| 1168 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| | Id | Type | Entity | Policy | IaC | +|------|---------------|----------------------------------|------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------| +| 0 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 1 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | +| 2 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | +| 3 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 4 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | +| 5 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | +| 7 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 8 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | +| 9 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 10 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | +| 11 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 12 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | +| 13 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | +| 14 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 15 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | +| 16 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | +| 17 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | +| 18 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | +| 19 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | +| 20 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | +| 21 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | +| 22 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | +| 23 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 24 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 25 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 26 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 27 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | +| 28 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 29 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | +| 30 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 31 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | +| 32 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 33 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | +| 34 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 35 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | +| 36 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | +| 37 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | +| 38 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | +| 39 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | +| 40 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | +| 41 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 42 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 43 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 44 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 45 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 46 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 47 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 48 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 49 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 50 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 51 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 52 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | +| 53 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 54 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | +| 55 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 56 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | +| 57 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 58 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | +| 59 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 60 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | +| 61 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 62 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | +| 63 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 64 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | +| 65 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 66 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | +| 67 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 68 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | +| 69 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 70 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | +| 71 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 72 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | +| 73 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 74 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | +| 75 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | +| 76 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | +| 77 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 78 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 79 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 80 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 81 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | +| 82 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | +| 83 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | +| 84 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 85 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | +| 86 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 87 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | +| 88 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 89 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | +| 90 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 91 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | +| 92 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 93 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | +| 94 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 95 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | +| 96 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 97 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | +| 98 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | +| 99 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | +| 100 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 101 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | +| 102 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 103 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | +| 104 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 105 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | +| 106 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 107 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | +| 108 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 109 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | +| 110 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 111 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | +| 112 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 113 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | +| 114 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 115 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | +| 116 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 117 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | +| 118 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 119 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 120 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 121 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 122 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 123 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 124 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 125 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 126 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 127 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | +| 128 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 129 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | +| 130 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 131 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | +| 132 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 133 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | +| 134 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 135 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | +| 136 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 137 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | +| 138 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 139 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 140 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 141 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | +| 142 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 143 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | +| 144 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | +| 145 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 146 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | +| 147 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 148 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | +| 149 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 150 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 151 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 152 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | +| 153 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | +| 154 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 155 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 156 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 157 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 158 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | +| 159 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | +| 160 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | +| 161 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 162 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | +| 163 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 164 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | +| 165 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 166 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | +| 167 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 168 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | +| 169 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 170 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | +| 171 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 172 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | +| 173 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | +| 174 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 175 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 176 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | +| 177 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 178 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | +| 179 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 180 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 181 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 182 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 183 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | +| 184 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 185 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 186 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 187 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | +| 188 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 189 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 190 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | +| 191 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 192 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | +| 193 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 194 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | +| 195 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | +| 196 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 197 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Terraform | +| 198 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 199 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | +| 200 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 201 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | +| 202 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | +| 203 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | +| 204 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 205 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | +| 206 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 207 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | +| 208 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | +| 209 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 210 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 211 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 212 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 213 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 214 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | +| 215 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 216 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 217 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 218 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 219 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 220 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | +| 221 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 222 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 223 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 224 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 225 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 226 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | +| 227 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 228 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 229 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 230 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 231 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 232 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | +| 233 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 234 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 235 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 236 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 237 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 238 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | +| 239 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | +| 240 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | +| 241 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | +| 242 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | +| 243 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | +| 244 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 245 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 246 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using KMS | Terraform | +| 247 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | +| 248 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 249 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | +| 250 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | +| 251 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | +| 252 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 253 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | +| 254 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | +| 255 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | +| 256 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | +| 257 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | +| 258 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | +| 259 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | +| 260 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | +| 261 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 262 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | +| 263 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | +| 264 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | +| 265 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | +| 266 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 267 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | +| 268 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | +| 269 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | +| 270 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | +| 271 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | +| 272 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | +| 273 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | +| 274 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | +| 275 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | +| 276 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | +| 277 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | +| 278 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | +| 279 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS | Terraform | +| 280 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 281 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 282 | CKV_AWS_151 | resource | aws_eks_cluster | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | Terraform | +| 283 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 284 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 285 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | +| 286 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | +| 287 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 288 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | +| 289 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 290 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | +| 291 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 292 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | +| 293 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 294 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | +| 295 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 296 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | +| 297 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | +| 298 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 299 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | +| 300 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 301 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | +| 302 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 303 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | +| 304 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 305 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | +| 306 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 307 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | +| 308 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 309 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | +| 310 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 311 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | +| 312 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | +| 313 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | +| 314 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | +| 315 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | +| 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | +| 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | +| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | +| 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | +| 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | +| 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | +| 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | +| 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | +| 361 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | +| 362 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | +| 363 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | +| 364 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | +| 365 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | +| 366 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | +| 367 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | +| 368 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | +| 369 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | +| 370 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | +| 371 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | +| 372 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | +| 373 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | +| 374 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | +| 375 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | +| 376 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | +| 377 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | +| 378 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | +| 379 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | +| 380 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | +| 381 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | +| 382 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | +| 383 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 384 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 385 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 386 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 387 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | +| 388 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | +| 389 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 390 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 391 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 392 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 393 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | +| 394 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | +| 395 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | +| 396 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | +| 397 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | +| 398 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | +| 399 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | +| 400 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | +| 401 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | +| 402 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | +| 403 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | +| 404 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | +| 405 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | +| 406 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | +| 407 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | +| 408 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | +| 409 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | +| 410 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 411 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 412 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 413 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 414 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 415 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 416 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | +| 417 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 418 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 419 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | +| 420 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | +| 421 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | +| 422 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | +| 423 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | +| 424 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | +| 425 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | +| 426 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | +| 427 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | +| 428 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | +| 429 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | +| 430 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 431 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 432 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 433 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 434 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 435 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 436 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 437 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 438 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 439 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | +| 440 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | +| 441 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | +| 442 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 443 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 444 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 445 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 446 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 447 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | +| 448 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 449 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 450 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | +| 451 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | +| 452 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | +| 453 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | +| 454 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | +| 455 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | +| 456 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | +| 457 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | +| 458 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | +| 459 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | +| 460 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | +| 461 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | +| 462 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | +| 463 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | +| 464 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | +| 465 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | +| 466 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | +| 467 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | +| 468 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | +| 469 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 470 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 471 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | +| 472 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | +| 473 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | +| 474 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | +| 475 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | +| 476 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | +| 477 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | +| 478 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | +| 479 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | +| 480 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | +| 481 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | +| 482 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | +| 483 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | +| 484 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | +| 485 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | +| 486 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 487 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | +| 488 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | +| 489 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | +| 490 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | +| 491 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | +| 492 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | +| 493 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | +| 494 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | +| 495 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | +| 496 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | +| 497 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | +| 498 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | +| 499 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | +| 500 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | +| 501 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | +| 502 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | +| 503 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | +| 504 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | +| 505 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | +| 506 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | +| 507 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | +| 508 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | +| 509 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | +| 510 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | +| 511 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | +| 512 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | +| 513 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | +| 514 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | +| 515 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 516 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 517 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | +| 518 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | +| 519 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | +| 520 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | +| 521 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 522 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 523 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | +| 524 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | +| 525 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | +| 526 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | +| 527 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | +| 528 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | +| 529 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | +| 530 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | +| 531 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | +| 532 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | +| 533 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | +| 534 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | +| 535 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | +| 536 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | +| 537 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | +| 538 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | +| 539 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | +| 540 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | +| 541 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | +| 542 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | +| 543 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | +| 544 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | +| 545 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | +| 546 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | +| 547 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | +| 548 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | +| 549 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | +| 550 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | +| 551 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 552 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | +| 553 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | +| 554 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | +| 555 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | +| 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | +| 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | +| 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | +| 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | +| 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | +| 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | +| 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | +| 601 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | +| 602 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | +| 603 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | +| 604 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | +| 605 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | +| 606 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 607 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | +| 608 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | +| 609 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | +| 610 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | +| 611 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | +| 612 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 613 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | +| 614 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | +| 615 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | +| 616 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | +| 617 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | +| 618 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | +| 619 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | +| 620 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | +| 621 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | +| 622 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | +| 623 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | +| 624 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | +| 625 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | +| 626 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | +| 627 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | +| 628 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | +| 629 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | +| 630 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | +| 631 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | +| 632 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 633 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 634 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | +| 635 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | +| 636 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 637 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 638 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | +| 639 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 640 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 641 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 642 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 643 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 644 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 645 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | +| 646 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 647 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 648 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | +| 649 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | +| 650 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 651 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 652 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 653 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 654 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | +| 655 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | +| 656 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | +| 657 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | +| 658 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | +| 659 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | +| 660 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 661 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 662 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | +| 663 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | +| 664 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | +| 665 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | +| 666 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | +| 667 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | +| 668 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | +| 669 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | +| 670 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | +| 671 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | +| 672 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | +| 673 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | +| 674 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | +| 675 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | +| 676 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | +| 677 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | +| 678 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | +| 679 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | +| 680 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 681 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 682 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | +| 683 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | +| 684 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | +| 685 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | +| 686 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | +| 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | +| 690 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | +| 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | +| 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | +| 966 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | +| 967 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | +| 968 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 969 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | +| 970 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | +| 971 | CKV_K8S_8 | resource | containers | Liveness Probe Should be Configured | Kubernetes | +| 972 | CKV_K8S_9 | resource | containers | Readiness Probe Should be Configured | Kubernetes | +| 973 | CKV_K8S_10 | resource | containers | CPU requests should be set | Kubernetes | +| 974 | CKV_K8S_10 | resource | initContainers | CPU requests should be set | Kubernetes | +| 975 | CKV_K8S_11 | resource | containers | CPU limits should be set | Kubernetes | +| 976 | CKV_K8S_11 | resource | initContainers | CPU limits should be set | Kubernetes | +| 977 | CKV_K8S_12 | resource | containers | Memory requests should be set | Kubernetes | +| 978 | CKV_K8S_12 | resource | initContainers | Memory requests should be set | Kubernetes | +| 979 | CKV_K8S_13 | resource | containers | Memory limits should be set | Kubernetes | +| 980 | CKV_K8S_13 | resource | initContainers | Memory limits should be set | Kubernetes | +| 981 | CKV_K8S_14 | resource | containers | Image Tag should be fixed - not latest or blank | Kubernetes | +| 982 | CKV_K8S_14 | resource | initContainers | Image Tag should be fixed - not latest or blank | Kubernetes | +| 983 | CKV_K8S_15 | resource | containers | Image Pull Policy should be Always | Kubernetes | +| 984 | CKV_K8S_15 | resource | initContainers | Image Pull Policy should be Always | Kubernetes | +| 985 | CKV_K8S_16 | resource | containers | Container should not be privileged | Kubernetes | +| 986 | CKV_K8S_16 | resource | initContainers | Container should not be privileged | Kubernetes | +| 987 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | +| 988 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | +| 989 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | +| 990 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | +| 991 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | +| 992 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | +| 993 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | +| 994 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | +| 995 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | +| 996 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | +| 997 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | +| 998 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | +| 999 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | +| 1000 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | +| 1001 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | +| 1002 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | +| 1003 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | +| 1004 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | +| 1005 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | +| 1006 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | +| 1007 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | +| 1008 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | +| 1009 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | +| 1010 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | +| 1011 | CKV_K8S_20 | resource | containers | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1012 | CKV_K8S_20 | resource | initContainers | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1013 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | +| 1014 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | +| 1015 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | +| 1016 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | +| 1017 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | +| 1018 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | +| 1019 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | +| 1020 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | +| 1021 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | +| 1022 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | +| 1023 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | +| 1024 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | +| 1025 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | +| 1026 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | +| 1027 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | +| 1028 | CKV_K8S_22 | resource | containers | Use read-only filesystem for containers where possible | Kubernetes | +| 1029 | CKV_K8S_22 | resource | initContainers | Use read-only filesystem for containers where possible | Kubernetes | +| 1030 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | +| 1031 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | +| 1032 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | +| 1033 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | +| 1034 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | +| 1035 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | +| 1036 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | +| 1037 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | +| 1038 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | +| 1039 | CKV_K8S_25 | resource | containers | Minimize the admission of containers with added capability | Kubernetes | +| 1040 | CKV_K8S_25 | resource | initContainers | Minimize the admission of containers with added capability | Kubernetes | +| 1041 | CKV_K8S_26 | resource | containers | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1042 | CKV_K8S_26 | resource | initContainers | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1043 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | +| 1044 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | +| 1045 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1046 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1047 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1048 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | +| 1049 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | +| 1050 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | +| 1051 | CKV_K8S_28 | resource | containers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1052 | CKV_K8S_28 | resource | initContainers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1053 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | +| 1054 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | +| 1055 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | +| 1056 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | +| 1057 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | +| 1058 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | +| 1059 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | +| 1060 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | +| 1061 | CKV_K8S_30 | resource | containers | Apply security context to your pods and containers | Kubernetes | +| 1062 | CKV_K8S_30 | resource | initContainers | Apply security context to your pods and containers | Kubernetes | +| 1063 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1064 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1065 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1066 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1067 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1068 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1069 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1070 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1071 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | +| 1072 | CKV_K8S_33 | resource | containers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1073 | CKV_K8S_33 | resource | initContainers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1074 | CKV_K8S_34 | resource | containers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1075 | CKV_K8S_34 | resource | initContainers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1076 | CKV_K8S_35 | resource | containers | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1077 | CKV_K8S_35 | resource | initContainers | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1078 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1079 | CKV_K8S_37 | resource | containers | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1080 | CKV_K8S_37 | resource | initContainers | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1081 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1082 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1083 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1084 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1085 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1086 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1087 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1088 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1089 | CKV_K8S_39 | resource | containers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1090 | CKV_K8S_39 | resource | initContainers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1091 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1092 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1093 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1094 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1095 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1096 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1097 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1098 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1099 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | +| 1100 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1101 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1102 | CKV_K8S_43 | resource | containers | Image should use digest | Kubernetes | +| 1103 | CKV_K8S_43 | resource | initContainers | Image should use digest | Kubernetes | +| 1104 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | +| 1105 | CKV_K8S_45 | resource | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1106 | CKV_K8S_45 | resource | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1107 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1108 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1109 | CKV_K8S_68 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1110 | CKV_K8S_69 | resource | containers | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1111 | CKV_K8S_70 | resource | containers | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1112 | CKV_K8S_71 | resource | containers | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1113 | CKV_K8S_72 | resource | containers | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1114 | CKV_K8S_73 | resource | containers | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1115 | CKV_K8S_74 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1116 | CKV_K8S_75 | resource | containers | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1117 | CKV_K8S_77 | resource | containers | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1118 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | +| 1119 | CKV_K8S_79 | resource | containers | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1120 | CKV_K8S_80 | resource | containers | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1121 | CKV_K8S_81 | resource | containers | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1122 | CKV_K8S_82 | resource | containers | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1123 | CKV_K8S_83 | resource | containers | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1124 | CKV_K8S_84 | resource | containers | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1125 | CKV_K8S_85 | resource | containers | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1126 | CKV_K8S_86 | resource | containers | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1127 | CKV_K8S_88 | resource | containers | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1128 | CKV_K8S_89 | resource | containers | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1129 | CKV_K8S_90 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1130 | CKV_K8S_91 | resource | containers | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1131 | CKV_K8S_92 | resource | containers | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1132 | CKV_K8S_93 | resource | containers | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1133 | CKV_K8S_94 | resource | containers | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1134 | CKV_K8S_95 | resource | containers | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1135 | CKV_K8S_96 | resource | containers | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1136 | CKV_K8S_97 | resource | containers | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1137 | CKV_K8S_99 | resource | containers | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1138 | CKV_K8S_100 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1139 | CKV_K8S_102 | resource | containers | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1140 | CKV_K8S_104 | resource | containers | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1141 | CKV_K8S_105 | resource | containers | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1142 | CKV_K8S_106 | resource | containers | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1143 | CKV_K8S_107 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1144 | CKV_K8S_108 | resource | containers | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1145 | CKV_K8S_110 | resource | containers | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1146 | CKV_K8S_111 | resource | containers | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1147 | CKV_K8S_112 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1148 | CKV_K8S_113 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1149 | CKV_K8S_114 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1150 | CKV_K8S_115 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1151 | CKV_K8S_116 | resource | containers | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1152 | CKV_K8S_117 | resource | containers | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1153 | CKV_K8S_118 | resource | containers | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1154 | CKV_K8S_119 | resource | containers | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1155 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | +| 1156 | CKV_K8S_138 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1157 | CKV_K8S_139 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1158 | CKV_K8S_140 | resource | containers | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1159 | CKV_K8S_141 | resource | containers | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1160 | CKV_K8S_143 | resource | containers | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1161 | CKV_K8S_144 | resource | containers | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1162 | CKV_K8S_145 | resource | containers | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1163 | CKV_K8S_146 | resource | containers | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1164 | CKV_K8S_147 | resource | containers | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1165 | CKV_K8S_148 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1166 | CKV_K8S_149 | resource | containers | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1167 | CKV_K8S_150 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1168 | CKV_K8S_151 | resource | containers | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1169 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | +| 1170 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| 1171 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | Artifactory Credentials | +| 1172 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | AWS Access Key | +| 1173 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | Azure Storage Account access key | +| 1174 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | Basic Auth Credentials | +| 1175 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | Cloudant Credentials | +| 1176 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | Base64 High Entropy String | +| 1177 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | IBM Cloud IAM Key | +| 1178 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | IBM COS HMAC Credentials | +| 1179 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | JSON Web Token | +| 1180 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | Mailchimp Access Key | +| 1181 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | NPM tokens | +| 1182 | CKV_SECRET_13 | Private Key | secrets | Private Key | Private Key | +| 1183 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | Slack Token | +| 1184 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | SoftLayer Credentials | +| 1185 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | Square OAuth Secret | +| 1186 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | Stripe Access Key | +| 1187 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | Twilio API Key | +| 1188 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | Hex High Entropy String | --- diff --git a/docs/5.Policy Index/cloudformation.md b/docs/5.Policy Index/cloudformation.md index 30187fa544..f3e710f8cc 100644 --- a/docs/5.Policy Index/cloudformation.md +++ b/docs/5.Policy Index/cloudformation.md @@ -130,6 +130,7 @@ nav_order: 1 | 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | | 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | | 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | --- diff --git a/docs/5.Policy Index/secrets.md b/docs/5.Policy Index/secrets.md new file mode 100644 index 0000000000..cc3c5d8bd5 --- /dev/null +++ b/docs/5.Policy Index/secrets.md @@ -0,0 +1,33 @@ +--- +layout: default +title: secrets resource scans +nav_order: 1 +--- + +# secrets resource scans (auto generated) + +| | | Id | Type | Entity | Policy | IaC | +|----|---------------|----------------------------------|---------|----------------------------------|----------------------------------|---------| +| 0 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | Artifactory Credentials | secrets | +| 1 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | AWS Access Key | secrets | +| 2 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | Azure Storage Account access key | secrets | +| 3 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | Basic Auth Credentials | secrets | +| 4 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | Cloudant Credentials | secrets | +| 5 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | Base64 High Entropy String | secrets | +| 6 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | IBM Cloud IAM Key | secrets | +| 7 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | IBM COS HMAC Credentials | secrets | +| 8 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | JSON Web Token | secrets | +| 9 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | Mailchimp Access Key | secrets | +| 10 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | NPM tokens | secrets | +| 11 | CKV_SECRET_13 | Private Key | secrets | Private Key | Private Key | secrets | +| 12 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | Slack Token | secrets | +| 13 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | SoftLayer Credentials | secrets | +| 14 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | Square OAuth Secret | secrets | +| 15 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | Stripe Access Key | secrets | +| 16 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | Twilio API Key | secrets | +| 17 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | Hex High Entropy String | secrets | + + +--- + + diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 903b7147ef..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -140,6 +140,7 @@ nav_order: 1 | 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | | 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | | 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | --- diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index f1a6e3ec3b..151e8748dd 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -200,592 +200,593 @@ nav_order: 1 | 189 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 192 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 201 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | -| 206 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | -| 207 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | -| 208 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 209 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | +| 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | +| 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | +| 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | | 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 212 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 219 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | -| 224 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | -| 225 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 226 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 229 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | +| 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | +| 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 232 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 233 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | -| 234 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | -| 235 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | -| 236 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | -| 237 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | -| 238 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | -| 239 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | -| 240 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | -| 241 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | -| 242 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | -| 243 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | -| 244 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 245 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 246 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 247 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 248 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | -| 249 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | -| 250 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | -| 251 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | -| 252 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | -| 253 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | -| 254 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | -| 255 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | -| 256 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | -| 257 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 258 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 259 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 260 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 261 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 262 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 263 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | -| 264 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | -| 265 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | -| 266 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | -| 267 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | -| 268 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 269 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 270 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 271 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | -| 272 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | -| 273 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 274 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 275 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 276 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 277 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | -| 278 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | -| 279 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | -| 280 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | -| 281 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | -| 282 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | -| 283 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | -| 284 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | -| 285 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | -| 286 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | -| 287 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | -| 288 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | -| 289 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | -| 290 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 291 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 292 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | -| 293 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | -| 294 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | -| 295 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | -| 296 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | -| 297 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | -| 298 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | -| 299 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | -| 300 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | -| 301 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | -| 302 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | -| 303 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | -| 304 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | -| 305 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | -| 306 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | -| 307 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 308 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | -| 309 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | -| 310 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | -| 311 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | -| 312 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | -| 313 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | -| 314 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | -| 315 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | -| 316 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | -| 317 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | -| 318 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | -| 319 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | -| 320 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | -| 321 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | -| 322 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | -| 323 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | -| 324 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | -| 325 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | -| 326 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | -| 327 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | -| 328 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | -| 329 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | -| 330 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | -| 331 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | -| 332 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | -| 333 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | -| 334 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | -| 335 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | -| 336 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 337 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 338 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | -| 339 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | -| 340 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | -| 341 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | -| 342 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 343 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 344 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | -| 345 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | -| 346 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | -| 347 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | -| 348 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | -| 349 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | -| 350 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | -| 351 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | -| 352 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | -| 353 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | -| 354 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | -| 355 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | -| 356 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | -| 357 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | -| 358 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | -| 359 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | -| 360 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | -| 361 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | -| 362 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | -| 363 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | -| 364 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | -| 365 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | -| 366 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | -| 367 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | -| 368 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | -| 369 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | -| 370 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 371 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 372 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 373 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | -| 374 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | -| 375 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | -| 376 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | -| 377 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | -| 378 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 379 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | +| 235 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | +| 236 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | +| 237 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | +| 238 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | +| 239 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | +| 240 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | +| 241 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | +| 242 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | +| 243 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | +| 244 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | +| 245 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 246 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 247 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 248 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 249 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | +| 250 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | +| 251 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | +| 252 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | +| 253 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | +| 254 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | +| 255 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | +| 256 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | +| 257 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | +| 258 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 259 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 260 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 261 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 262 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 263 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 264 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | +| 265 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | +| 266 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | +| 267 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | +| 268 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | +| 269 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 270 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 271 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 272 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | +| 273 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | +| 274 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 275 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 276 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 277 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 278 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | +| 279 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | +| 280 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | +| 281 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | +| 282 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | +| 283 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | +| 284 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | +| 285 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | +| 286 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | +| 287 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | +| 288 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | +| 289 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | +| 290 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | +| 291 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 292 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 293 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | +| 294 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | +| 295 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | +| 296 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | +| 297 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | +| 298 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | +| 299 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | +| 300 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | +| 301 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | +| 302 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | +| 303 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | +| 304 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | +| 305 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | +| 306 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | +| 307 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | +| 308 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 309 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | +| 310 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | +| 311 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | +| 312 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | +| 313 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | +| 314 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | +| 315 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | +| 316 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | +| 317 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | +| 318 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | +| 319 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | +| 320 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | +| 321 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | +| 322 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | +| 323 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | +| 324 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | +| 325 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | +| 326 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | +| 327 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | +| 328 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | +| 329 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | +| 330 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | +| 331 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | +| 332 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | +| 333 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | +| 334 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | +| 335 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | +| 336 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | +| 337 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 338 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 339 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | +| 340 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | +| 341 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | +| 342 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | +| 343 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 344 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 345 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | +| 346 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | +| 347 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | +| 348 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | +| 349 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | +| 350 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | +| 351 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | +| 352 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | +| 353 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | +| 354 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | +| 355 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | +| 356 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | +| 357 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | +| 358 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | +| 359 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | +| 360 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | +| 361 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | +| 362 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | +| 363 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | +| 364 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | +| 365 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | +| 366 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | +| 367 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | +| 368 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | +| 369 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | +| 370 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | +| 371 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | +| 372 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | +| 373 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 374 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | +| 375 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | +| 376 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | +| 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | +| 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | +| 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 393 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | -| 399 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 400 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | +| 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 412 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 419 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | -| 420 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | -| 421 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | -| 422 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | -| 423 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | -| 424 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 425 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | -| 426 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | -| 427 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | -| 428 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | -| 429 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | -| 430 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | -| 431 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | -| 432 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | -| 433 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | -| 434 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | -| 435 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | -| 436 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | -| 437 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | -| 438 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | -| 439 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | -| 440 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | -| 441 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | -| 442 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | -| 443 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | -| 444 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 445 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 446 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | -| 447 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | -| 448 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 449 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 450 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | -| 451 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 452 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 453 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 454 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 455 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 456 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 457 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | -| 458 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 459 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 460 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | -| 461 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | -| 462 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 463 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 464 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 465 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 466 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | -| 467 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | -| 468 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | -| 469 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | -| 470 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | -| 471 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | -| 472 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 473 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 474 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | -| 475 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | -| 476 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | -| 477 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | -| 478 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | -| 479 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | -| 480 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | -| 481 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | -| 482 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | -| 483 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | -| 484 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | -| 485 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | -| 486 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | -| 487 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | -| 488 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | -| 489 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | -| 490 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | -| 491 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | -| 492 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 493 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 494 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | -| 495 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | -| 496 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | -| 497 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | -| 498 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 499 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 500 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | -| 501 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 502 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | +| 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | +| 422 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | +| 423 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | +| 424 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | +| 425 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 426 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | +| 427 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | +| 428 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | +| 429 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | +| 430 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | +| 431 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | +| 432 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | +| 433 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | +| 434 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | +| 435 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | +| 436 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | +| 437 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | +| 438 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | +| 439 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | +| 440 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | +| 441 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | +| 442 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | +| 443 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | +| 444 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | +| 445 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 446 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 447 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | +| 448 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | +| 449 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 450 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 451 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | +| 452 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 453 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 454 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 455 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 456 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 457 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 458 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | +| 459 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 460 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 461 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | +| 462 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | +| 463 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 464 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 465 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 466 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 467 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | +| 468 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | +| 469 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | +| 470 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | +| 471 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | +| 472 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | +| 473 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 474 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 475 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | +| 476 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | +| 477 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | +| 478 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | +| 479 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | +| 480 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | +| 481 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | +| 482 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | +| 483 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | +| 484 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | +| 485 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | +| 486 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | +| 487 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | +| 488 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | +| 489 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | +| 490 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | +| 491 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | +| 492 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | +| 493 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 494 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 495 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | +| 496 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | +| 497 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | +| 498 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | +| 499 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | +| 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 517 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 708 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 709 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | -| 776 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | -| 777 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | +| 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | +| 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | --- diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index 2b473e344e..65e3532a79 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -8,7 +8,14 @@ then exit $? fi -# Actions pass inputs as $INPUT_ environmet variables +matcher_path=`pwd`/checkov-problem-matcher.json +warning_matcher_path=`pwd`/checkov-problem-matcher-softfail.json +cp /usr/local/lib/checkov-problem-matcher.json "$matcher_path" +cp /usr/local/lib/checkov-problem-matcher-softfail.json "$warning_matcher_path" + +export BC_SOURCE=githubActions + +# Actions pass inputs as $INPUT_ environment variables # [[ -n "$INPUT_CHECK" ]] && CHECK_FLAG="--check $INPUT_CHECK" [[ -n "$INPUT_SKIP_CHECK" ]] && SKIP_CHECK_FLAG="--skip-check $INPUT_SKIP_CHECK" @@ -16,6 +23,9 @@ fi [[ -n "$INPUT_OUTPUT_FORMAT" ]] && OUTPUT_FLAG="--output $INPUT_OUTPUT_FORMAT" [[ -n "$INPUT_BASELINE" ]] && BASELINE_FLAG="--baseline $INPUT_BASELINE" [[ -n "$INPUT_CONFIG_FILE" ]] && CONFIG_FILE_FLAG="--config-file $INPUT_CONFIG_FILE" +[[ -n "$INPUT_SOFT_FAIL_ON" ]] && SOFT_FAIL_ON_FLAG="--soft-fail-on $INPUT_SOFT_FAIL_ON" +[[ -n "$INPUT_HARD_FAIL_ON" ]] && HARD_FAIL_ON_FLAG="--hard-fail-on $INPUT_HARD_FAIL_ON" + if [ -n "$INPUT_QUIET" ] && [ "$INPUT_QUIET" = "true" ]; then QUIET_FLAG="--quiet" @@ -51,18 +61,51 @@ if [ -n "$INPUT_EXTERNAL_CHECKS_REPOS" ]; then done fi -echo "input_soft_fail:$INPUT_SOFT_FAIL" -matcher_path=$(pwd)/checkov-problem-matcher.json -if [ -n "$INPUT_SOFT_FAIL" ]; then - cp /usr/local/lib/checkov-problem-matcher.json "$matcher_path" +if [ ! -z "$INPUT_SOFT_FAIL" ]; then + echo "::add-matcher::checkov-problem-matcher.json" else - cp /usr/local/lib/checkov-problem-matcher-softfail.json "$matcher_path" + echo "::add-matcher::checkov-problem-matcher-softfail.json" fi -echo "::add-matcher::checkov-problem-matcher.json" +API_KEY=${API_KEY_VARIABLE} + +GIT_BRANCH=${GITHUB_HEAD_REF:=master} +export BC_FROM_BRANCH=${GIT_BRANCH} +export BC_TO_BRANCH=${GITHUB_BASE_REF} +export BC_PR_ID=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }') +export BC_PR_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/pull/${BC_PR_ID}" +export BC_COMMIT_HASH=${GITHUB_SHA} +export BC_COMMIT_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}" +export BC_AUTHOR_NAME=${GITHUB_ACTOR} +export BC_AUTHOR_URL="${GITHUB_SERVER_URL}/${BC_AUTHOR_NAME}" +export BC_RUN_ID=${GITHUB_RUN_NUMBER} +export BC_RUN_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" +export BC_REPOSITORY_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" + +echo "BC_FROM_BRANCH=${GIT_BRANCH}" +echo "BC_TO_BRANCH=${GITHUB_BASE_REF}" +echo "BC_PR_ID=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')" +echo "BC_PR_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/pull/${BC_PR_ID}"" +echo "BC_COMMIT_HASH=${GITHUB_SHA}" +echo "BC_COMMIT_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}"" +echo "BC_AUTHOR_NAME=${GITHUB_ACTOR}" +echo "BC_AUTHOR_URL="${GITHUB_SERVER_URL}/${BC_AUTHOR_NAME}"" +echo "BC_RUN_ID=${GITHUB_RUN_NUMBER}" +echo "BC_RUN_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"" +echo "BC_REPOSITORY_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"" + echo "running checkov on directory: $1" -checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $FRAMEWORK_FLAG $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $BASELINE_FLAG $CONFIG_FILE_FLAG + +if [ -n "$API_KEY_VARIABLE" ]; then + echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" + checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG + else + echo "checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" + checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG +fi + CHECKOV_EXIT_CODE=$? + if [ -n "$INPUT_DOWNLOAD_EXTERNAL_MODULES" ] && [ "$INPUT_DOWNLOAD_EXTERNAL_MODULES" = "true" ]; then echo "Cleaning up $INPUT_DIRECTORY/.external_modules directory" #This directory must be removed here for the self hosted github runners run as non-root user. diff --git a/integration_tests/prepare_data.sh b/integration_tests/prepare_data.sh index 6629018018..e8b24ee503 100755 --- a/integration_tests/prepare_data.sh +++ b/integration_tests/prepare_data.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash pipenv run checkov -s --framework terraform -d terragoat/terraform/ -o json > checkov_report_terragoat.json pipenv run checkov -s --framework terraform -d terragoat/terraform/ -o junitxml > checkov_report_terragoat.xml @@ -8,5 +8,8 @@ pipenv run checkov -s -d kubernetes-goat/ --framework helm -o json > checkov_rep pipenv run checkov -s --framework terraform --skip-check CKV_AWS_33,CKV_AWS_41 -d terragoat/terraform/ -o json > checkov_report_terragoat_with_skip.json pipenv run checkov -s -d cfngoat/ -o json --quiet > checkov_report_cfngoat_quiet.json pipenv run checkov -s -d terragoat/terraform/ --config-file integration_tests/example_config_files/config.yaml -o json > checkov_config_report_terragoat.json -pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt -pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt \ No newline at end of file +if [[ "$1" == "3.7" ]] +then + pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt + pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt +fi diff --git a/integration_tests/test_checkov_cli_integration_report.py b/integration_tests/test_checkov_cli_integration_report.py index 9315e310f9..12d5936492 100644 --- a/integration_tests/test_checkov_cli_integration_report.py +++ b/integration_tests/test_checkov_cli_integration_report.py @@ -1,6 +1,5 @@ -import itertools -import json import os +import sys import unittest current_dir = os.path.dirname(os.path.realpath(__file__)) @@ -8,20 +7,21 @@ class TestCheckovJsonReport(unittest.TestCase): - def test_terragoat_report_dir(self): + def test_terragoat_report_dir_api_key(self): report_path = current_dir + "/../checkov_report_azuredir_api_key_terragoat.txt" self.validate_report(os.path.abspath(report_path)) - def test_terragoat_report_file(self): + def test_terragoat_report_file_api_key(self): report_path = current_dir + "/../checkov_report_s3_singlefile_api_key_terragoat.txt" self.validate_report(os.path.abspath(report_path)) def validate_report(self, report_path): - platform_url_found = False - with open(report_path) as f: - if 'More details: https://www.bridgecrew.cloud/codeReview/' in f.read(): - platform_url_found = True - self.assertTrue(platform_url_found,"when using api key, platform code review url should exist") + if sys.version_info[1] == 7: + platform_url_found = False + with open(report_path) as f: + if 'More details: https://www.bridgecrew.cloud/codeReview/' in f.read(): + platform_url_found = True + self.assertTrue(platform_url_found, "when using api key, platform code review url should exist") if __name__ == '__main__': diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 86739f413a..7c1a0b08aa 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.336 +checkov==2.0.363 diff --git a/setup.py b/setup.py index d9f0cd62a1..e9b8f80ad9 100644 --- a/setup.py +++ b/setup.py @@ -39,7 +39,7 @@ "tabulate", "colorama", "termcolor", - "junit-xml", + "junit-xml>=1.9", "dpath>=1.5.0,<2", "pyyaml>=5.4.1", "boto3==1.17.*", @@ -57,6 +57,7 @@ "detect-secrets", "policyuniverse", "typing-extensions", + "cfn-lint==0.53.*", ], license="Apache License 2.0", name="checkov", diff --git a/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/FAIL.yaml b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/FAIL.yaml new file mode 100644 index 0000000000..264d781473 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/FAIL.yaml @@ -0,0 +1,8 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + Disabled: + Type: "AWS::QLDB::Ledger" + Properties: + DeletionProtection: false + Name: "ledger" + PermissionsMode: "STANDARD" diff --git a/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/PASS.yaml b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/PASS.yaml new file mode 100644 index 0000000000..b3e683f6d3 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/PASS.yaml @@ -0,0 +1,13 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + Default: + Type: "AWS::QLDB::Ledger" + Properties: + Name: "ledger" + PermissionsMode: "STANDARD" + Enabled: + Type: "AWS::QLDB::Ledger" + Properties: + DeletionProtection: true + Name: "ledger" + PermissionsMode: "STANDARD" diff --git a/tests/cloudformation/checks/resource/aws/test_QLDBLedgerDeletionProtection.py b/tests/cloudformation/checks/resource/aws/test_QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..b3e2ebd6f0 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_QLDBLedgerDeletionProtection.py @@ -0,0 +1,37 @@ +import unittest +from pathlib import Path + +from checkov.cloudformation.checks.resource.aws.QLDBLedgerDeletionProtection import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestQLDBLedgerDeletionProtection(unittest.TestCase): + def test_summary(self): + test_files_dir = Path(__file__).parent / "example_QLDBLedgerDeletionProtection" + + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "AWS::QLDB::Ledger.Default", + "AWS::QLDB::Ledger.Enabled", + } + failing_resources = { + "AWS::QLDB::Ledger.Disabled", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/cloudformation/graph/graph_builder/resources/edges_json/test.json b/tests/cloudformation/graph/graph_builder/resources/edges_json/test.json new file mode 100644 index 0000000000..1e45ec20ee --- /dev/null +++ b/tests/cloudformation/graph/graph_builder/resources/edges_json/test.json @@ -0,0 +1,179 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "EnvType": { + "Description": "Environment type.", + "Default": "test", + "Type": "String", + "AllowedValues": [ + "prod", + "dev", + "test" + ], + "ConstraintDescription": "must specify prod, dev, or test." + }, + "DataBucketName": { + "Description": "Bucket Name", + "Type": "String", + "Default": "bucket_name" + } + }, + "Mappings": { + "RegionMap": { + "us-east-1": { + "AMI": "ami-0ff8a91507f77f867" + }, + "us-west-1": { + "AMI": "ami-0bdb828fd58c52235" + }, + "us-west-2": { + "AMI": "ami-a0cfeed8" + }, + "eu-west-1": { + "AMI": "ami-047bb4163c506cd98" + }, + "sa-east-1": { + "AMI": "ami-07b14488da8ea02a0" + }, + "ap-southeast-1": { + "AMI": "ami-08569b978cc4dfa10" + }, + "ap-southeast-2": { + "AMI": "ami-09b42976632b27e9b" + }, + "ap-northeast-1": { + "AMI": "ami-06cd52961ce9f0d85" + } + } + }, + "Conditions": { + "CreateProdResources": { + "Fn::Equals": [ + { + "Ref": "EnvType" + }, + "prod" + ] + }, + "CreateDevResources": { + "Fn::Equals": [ + { + "Ref": "EnvType" + }, + "dev" + ] + } + }, + "Resources": { + "EC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": { + "Fn::FindInMap": [ + "RegionMap", + { + "Ref": "AWS::Region" + }, + "AMI" + ] + }, + "InstanceType": { + "Fn::If": [ + "CreateProdResources", + "c1.xlarge", + { + "Fn::If": [ + "CreateDevResources", + "m1.large", + "m1.small" + ] + } + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": [ + "ec2-${Environment}", + { + "Environment": { + "Ref": "EnvType" + } + } + ] + } + } + ] + } + }, + "MountPoint": { + "Type": "AWS::EC2::VolumeAttachment", + "Condition": "CreateProdResources", + "Properties": { + "InstanceId": { + "Ref": "EC2Instance" + }, + "VolumeId": { + "Ref": "NewVolume" + }, + "Device": "/dev/sdh" + } + }, + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Condition": "CreateProdResources", + "Properties": { + "Size": 100, + "AvailabilityZone": { + "Fn::GetAtt": [ + "EC2Instance", + "AvailabilityZone" + ] + } + } + }, + "DataBucket": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Delete", + "DependsOn": "EC2Instance", + "Properties": { + "BucketName": { + "Ref": "DataBucketName" + }, + "AccessControl": "PublicRead", + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::AccountId}-${DataBucketName}-${EnvType}" + } + } + ] + } + } + }, + "Outputs": { + "EC2InstanceId": { + "Description": "Web Host Public DNS Name", + "Value": { + "Ref": "EC2Instance" + } + }, + "EC2PublicDNS": { + "Description": "Web Host Public DNS Name", + "Value": { + "Fn::GetAtt": [ + "EC2Instance", + "PublicDnsName" + ] + } + }, + "DataBucketUniqueId": { + "Description": "Data Bucket Name", + "Value": { + "Fn::Sub": "DataBucket-${DataBucket}-${DataBucketName}" + } + } + } +} \ No newline at end of file diff --git a/tests/cloudformation/graph/graph_builder/resources/edges_yaml/test.yaml b/tests/cloudformation/graph/graph_builder/resources/edges_yaml/test.yaml new file mode 100644 index 0000000000..de346bea31 --- /dev/null +++ b/tests/cloudformation/graph/graph_builder/resources/edges_yaml/test.yaml @@ -0,0 +1,83 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Parameters: + EnvType: + Description: Environment type. + Default: test + Type: String + AllowedValues: [prod, dev, test] + ConstraintDescription: must specify prod, dev, or test. + DataBucketName: + Description: Bucket Name + Type: String + Default: bucket_name + +Mappings: + RegionMap: + us-east-1: + AMI: "ami-0ff8a91507f77f867" + us-west-1: + AMI: "ami-0bdb828fd58c52235" + us-west-2: + AMI: "ami-a0cfeed8" + eu-west-1: + AMI: "ami-047bb4163c506cd98" + sa-east-1: + AMI: "ami-07b14488da8ea02a0" + ap-southeast-1: + AMI: "ami-08569b978cc4dfa10" + ap-southeast-2: + AMI: "ami-09b42976632b27e9b" + ap-northeast-1: + AMI: "ami-06cd52961ce9f0d85" + +Conditions: + CreateProdResources: !Equals [!Ref EnvType, prod] + CreateDevResources: !Equals [!Ref EnvType, "dev"] + +Resources: + EC2Instance: + Type: "AWS::EC2::Instance" + Properties: + ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI] + InstanceType: !If [CreateProdResources, c1.xlarge, !If [CreateDevResources, m1.large, m1.small]] + Tags: + - Key: Name + Value: !Sub + - ec2-${Environment} + - Environment: !Ref EnvType + MountPoint: + Type: "AWS::EC2::VolumeAttachment" + Condition: CreateProdResources + Properties: + InstanceId: !Ref EC2Instance + VolumeId: !Ref NewVolume + Device: /dev/sdh + NewVolume: + Type: "AWS::EC2::Volume" + Condition: CreateProdResources + Properties: + Size: 100 + AvailabilityZone: !GetAtt EC2Instance.AvailabilityZone + DataBucket: + # Public, not encrypted, no access logs, no versioning + Type: AWS::S3::Bucket + DeletionPolicy: Delete + DependsOn: EC2Instance + Properties: + BucketName: !Ref DataBucketName + AccessControl: PublicRead + Tags: + - Key: Name + Value: !Sub "${AWS::AccountId}-${DataBucketName}-${EnvType}" + +Outputs: + EC2InstanceId: + Description: Web Host Public DNS Name + Value: !Ref EC2Instance + EC2PublicDNS: + Description: Web Host Public DNS Name + Value: !GetAtt [EC2Instance, PublicDnsName] + DataBucketUniqueId: + Description: Data Bucket Name + Value: !Sub "DataBucket-${DataBucket}-${DataBucketName}" diff --git a/tests/cloudformation/graph/graph_builder/resources/test.json b/tests/cloudformation/graph/graph_builder/resources/vertices/test.json similarity index 100% rename from tests/cloudformation/graph/graph_builder/resources/test.json rename to tests/cloudformation/graph/graph_builder/resources/vertices/test.json diff --git a/tests/cloudformation/graph/graph_builder/resources/test.yaml b/tests/cloudformation/graph/graph_builder/resources/vertices/test.yaml similarity index 100% rename from tests/cloudformation/graph/graph_builder/resources/test.yaml rename to tests/cloudformation/graph/graph_builder/resources/vertices/test.yaml diff --git a/tests/cloudformation/graph/graph_builder/test_local_graph.py b/tests/cloudformation/graph/graph_builder/test_local_graph.py index 615ca78e79..5278d37c94 100644 --- a/tests/cloudformation/graph/graph_builder/test_local_graph.py +++ b/tests/cloudformation/graph/graph_builder/test_local_graph.py @@ -3,10 +3,9 @@ from checkov.cloudformation.cfn_utils import create_definitions from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections from checkov.cloudformation.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions from checkov.cloudformation.graph_builder.local_graph import CloudformationLocalGraph -from checkov.cloudformation.parser import parse +from checkov.cloudformation.parser import parse, TemplateSections from checkov.runner_filter import RunnerFilter TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) @@ -21,6 +20,7 @@ def test_build_graph_with_single_resource(self): local_graph = CloudformationLocalGraph(definitions) local_graph.build_graph(render_variables=False) self.assertEqual(1, len(local_graph.vertices)) + self.assertEqual(0, len(local_graph.edges)) resource_vertex = local_graph.vertices[0] self.assertEqual("AWS::ApiGateway::Stage.MyStage", resource_vertex.name) self.assertEqual("AWS::ApiGateway::Stage.MyStage", resource_vertex.id) @@ -44,7 +44,7 @@ def test_build_graph_with_params_outputs(self): self.assertEqual(len([v for v in local_graph.vertices if v.block_type == BlockType.MAPPING]), 1) def test_vertices_from_local_graph(self): - resources_dir = os.path.realpath(os.path.join(TEST_DIRNAME, './resources')) + resources_dir = os.path.realpath(os.path.join(TEST_DIRNAME, './resources/vertices')) definitions, _ = create_definitions(root_folder=resources_dir, files=None, runner_filter=RunnerFilter()) local_graph = CloudformationLocalGraph(definitions) local_graph.build_graph(render_variables=False) @@ -53,15 +53,79 @@ def test_vertices_from_local_graph(self): self.assertIsNotNone(definitions) self.assertEqual(len(definitions.items()), 2) - test_yaml_definitions = definitions[os.path.join(resources_dir, 'test.yaml')][CloudformationTemplateSections.RESOURCES] + test_yaml_definitions = definitions[os.path.join(resources_dir, 'test.yaml')][TemplateSections.RESOURCES] self.assertEqual(len(test_yaml_definitions.keys()), 2) self.assertIn('MyDB', test_yaml_definitions.keys()) self.assertIn('MySourceQueue', test_yaml_definitions.keys()) - test_json_definitions = definitions[os.path.join(resources_dir, 'test.json')][CloudformationTemplateSections.RESOURCES] + test_json_definitions = definitions[os.path.join(resources_dir, 'test.json')][TemplateSections.RESOURCES] self.assertEqual(len(test_json_definitions.keys()), 2) self.assertIn('MyDB', test_json_definitions.keys()) self.assertIn('MySourceQueue', test_json_definitions.keys()) self.assertIsNotNone(breadcrumbs) self.assertDictEqual(breadcrumbs, {}) # Will be changed when we add breadcrumbs to cfn vertices + + def test_yaml_edges(self): + root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, 'resources/edges_yaml')) + self.validate_edges_count(root_dir) + + def test_json_edges(self): + root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, 'resources/edges_json')) + self.validate_edges_count(root_dir) + + def validate_edges_count(self, root_dir) -> None: + expected_out_edges_count = { + 'parameters.EnvType': 0, + 'parameters.DataBucketName': 0, + 'mappings.RegionMap': 0, + 'conditions.CreateProdResources': 1, + 'conditions.CreateDevResources': 1, + 'AWS::EC2::Instance.EC2Instance': 4, + 'AWS::EC2::VolumeAttachment.MountPoint': 3, + 'AWS::EC2::Volume.NewVolume': 2, + 'AWS::S3::Bucket.DataBucket': 4, + 'outputs.EC2InstanceId': 1, + 'outputs.EC2PublicDNS': 1, + 'outputs.DataBucketUniqueId': 2 + } + + expected_in_edges_count = { + 'parameters.EnvType': 4, + 'parameters.DataBucketName': 3, + 'mappings.RegionMap': 1, + 'conditions.CreateProdResources': 3, + 'conditions.CreateDevResources': 1, + 'AWS::EC2::Instance.EC2Instance': 5, + 'AWS::EC2::VolumeAttachment.MountPoint': 0, + 'AWS::EC2::Volume.NewVolume': 1, + 'AWS::S3::Bucket.DataBucket': 1, + 'outputs.EC2InstanceId': 0, + 'outputs.EC2PublicDNS': 0, + 'outputs.DataBucketUniqueId': 0 + } + + definitions, _ = create_definitions(root_folder=root_dir, files=None, runner_filter=RunnerFilter()) + local_graph = CloudformationLocalGraph(definitions) + local_graph.build_graph(render_variables=False) + idx_to_vertex_id = {idx: vertex.id for idx, vertex in enumerate(local_graph.vertices)} + + # we check that each entity in the template file has the right amount of out edges_yaml + out_edges_overall_count = 0 + for vertex_index, actual_out_edges in local_graph.out_edges.items(): + vertex_id = idx_to_vertex_id[vertex_index] + self.assertEqual(len(actual_out_edges), expected_out_edges_count[vertex_id], f'{vertex_id} actually has {len(actual_out_edges)} outgoing edges, not {expected_out_edges_count[vertex_id]}') + out_edges_overall_count += len(actual_out_edges) + + # we check that each entity in the template file has the right amount of in edges_yaml + in_edges_overall_count = 0 + for vertex_index, actual_in_edges in local_graph.in_edges.items(): + vertex_id = idx_to_vertex_id[vertex_index] + self.assertEqual(len(actual_in_edges), expected_in_edges_count[vertex_id], f'{vertex_id} actually has {len(actual_in_edges)} outgoing edges, not {expected_in_edges_count[vertex_id]}') + in_edges_overall_count += len(actual_in_edges) + + # we check that the overall amount of out edges_yaml equals the overall amount of in edges_yaml + # and the overall amount of edges_yaml + self.assertEqual(out_edges_overall_count, in_edges_overall_count) + self.assertEqual(out_edges_overall_count, len(local_graph.edges)) + diff --git a/tests/cloudformation/test_graph_manager.py b/tests/cloudformation/test_graph_manager.py index b85d75b717..bd4810ee18 100644 --- a/tests/cloudformation/test_graph_manager.py +++ b/tests/cloudformation/test_graph_manager.py @@ -56,12 +56,20 @@ def test_build_graph_from_source_directory_no_rendering(self): self.assertDictEqual({'Fn::Join': ['', [{'Ref': 'ResourceNamePrefix', '__startline__': 650, '__endline__': 652}, '-acmecws']], '__startline__': 646, '__endline__': 656}, sqs_queue_vertex.attributes["QueueName"]) def test_build_graph_from_source_directory_with_rendering(self): - root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, "./runner/resources")) - graph_manager = CloudformationGraphManager(db_connector=NetworkxConnector()) - local_graph, definitions = graph_manager.build_graph_from_source_directory(root_dir, render_variables=True) + root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, "./runner/resources")) + graph_manager = CloudformationGraphManager(db_connector=NetworkxConnector()) + local_graph, definitions = graph_manager.build_graph_from_source_directory(root_dir, render_variables=True) - sqs_queue_vertex = local_graph.vertices[local_graph.vertices_block_name_map[BlockType.RESOURCE]["AWS::SQS::Queue.acmeCWSQueue"][0]] - self.assertDictEqual({'Fn::Join': ['', ['acme', '-acmecws']], '__startline__': 646, '__endline__': 656}, sqs_queue_vertex.attributes["QueueName"]) + sqs_queue_vertex = local_graph.vertices[local_graph.vertices_block_name_map[BlockType.RESOURCE]["AWS::SQS::Queue.acmeCWSQueue"][0]] + expected_node = {'Fn::Join': ['', ['acme', '-acmecws']], '__startline__': 646, '__endline__': 656} + self.assertDictEqual(expected_node, sqs_queue_vertex.config["QueueName"]) + found = False + for d in definitions: + if 'resources/success.json' in d: + found = True + node = definitions[d]['Resources']['acmeCWSQueue']['Properties']['QueueName'] + self.assertDictEqual(expected_node, node) + self.assertTrue(found, 'Did not find the wanted node, for acmeCWSQueue') def test_build_graph_from_definitions(self): relative_file_path = "./checks/resource/aws/example_APIGatewayXray/APIGatewayXray-PASSED.yaml" diff --git a/tests/cloudformation/utils/test_cfn_utils.py b/tests/cloudformation/utils/test_cfn_utils.py index 29e7895ed0..4504467d09 100644 --- a/tests/cloudformation/utils/test_cfn_utils.py +++ b/tests/cloudformation/utils/test_cfn_utils.py @@ -3,7 +3,7 @@ from checkov.cloudformation.cfn_utils import get_folder_definitions, build_definitions_context from checkov.cloudformation.parser.node import dict_node -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections +from checkov.cloudformation.parser import TemplateSections TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) RELATIVE_PATH = 'file_formats' @@ -25,20 +25,20 @@ def validate_definition_lines(self, definition: dict_node, start_line, end_line, def test_parameters_value(self): # Asserting test.yaml file yaml_parameters = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.PARAMETERS.value] + TemplateSections.PARAMETERS.value] self.assertIsNotNone(yaml_parameters) self.assertEqual(len(yaml_parameters), 2) self.validate_definition_lines(yaml_parameters['KmsMasterKeyId'], 4, 7, 4) self.validate_definition_lines(yaml_parameters['DBName'], 8, 11, 4) # Asserting test2.yaml file yaml2_parameters = self.definitions_context[os.path.join(self.test_root_dir, 'test2.yaml')][ - CloudformationTemplateSections.PARAMETERS.value] + TemplateSections.PARAMETERS.value] self.assertIsNotNone(yaml2_parameters) self.assertEqual(len(yaml2_parameters), 1) self.validate_definition_lines(yaml2_parameters['LatestAmiId'], 4, 6, 3) # Asserting json file json_parameters = self.definitions_context[os.path.join(self.test_root_dir, 'test.json')][ - CloudformationTemplateSections.PARAMETERS.value] + TemplateSections.PARAMETERS.value] self.assertIsNotNone(json_parameters) self.assertEqual(len(json_parameters), 2) self.validate_definition_lines(json_parameters['KmsMasterKeyId'], 5, 9, 5) @@ -47,14 +47,14 @@ def test_parameters_value(self): def test_resources_value(self): # Asserting test.yaml file yaml_resources = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.RESOURCES.value] + TemplateSections.RESOURCES.value] self.assertIsNotNone(yaml_resources) self.assertEqual(len(yaml_resources), 2) self.validate_definition_lines(yaml_resources['MySourceQueue'], 13, 16, 4) self.validate_definition_lines(yaml_resources['MyDB'], 17, 26, 10) # Asserting test2.yaml file yaml2_resources = self.definitions_context[os.path.join(self.test_root_dir, 'test2.yaml')][ - CloudformationTemplateSections.RESOURCES.value] + TemplateSections.RESOURCES.value] self.assertIsNotNone(yaml2_resources) self.assertEqual(len(yaml2_resources), 4) self.validate_definition_lines(yaml2_resources['WebHostStorage'], 12, 23, 12) @@ -63,7 +63,7 @@ def test_resources_value(self): self.validate_definition_lines(yaml2_resources['DBAppInstance'], 52, 184, 133) # Asserting json file json_resources = self.definitions_context[os.path.join(self.test_root_dir, 'test.json')][ - CloudformationTemplateSections.RESOURCES.value] + TemplateSections.RESOURCES.value] self.assertIsNotNone(json_resources) self.assertEqual(len(json_resources), 2) self.validate_definition_lines(json_resources['MySourceQueue'], 17, 22, 6) @@ -72,13 +72,13 @@ def test_resources_value(self): def test_outputs_value(self): # Asserting test.yaml file yaml_outputs = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.OUTPUTS.value] + TemplateSections.OUTPUTS.value] self.assertIsNotNone(yaml_outputs) self.assertEqual(len(yaml_outputs), 1) self.validate_definition_lines(yaml_outputs['DBAppPublicDNS'], 28, 30, 3) # Asserting test2.yaml file yaml2_outputs = self.definitions_context[os.path.join(self.test_root_dir, 'test2.yaml')][ - CloudformationTemplateSections.OUTPUTS.value] + TemplateSections.OUTPUTS.value] self.assertIsNotNone(yaml2_outputs) self.assertEqual(len(yaml2_outputs), 5) self.validate_definition_lines(yaml2_outputs['EC2PublicDNS'], 187, 191, 5) @@ -88,14 +88,14 @@ def test_outputs_value(self): self.validate_definition_lines(yaml2_outputs['UserName'], 204, 206, 3) # Asserting json file json_outputs = self.definitions_context[os.path.join(self.test_root_dir, 'test.json')][ - CloudformationTemplateSections.OUTPUTS.value] + TemplateSections.OUTPUTS.value] self.assertIsNotNone(json_outputs) self.assertEqual(len(json_outputs), 1) self.validate_definition_lines(json_outputs['DBAppPublicDNS'], 35, 38, 4) def test_skipped_check_exists(self): skipped_checks = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.RESOURCES.value]['MyDB']['skipped_checks'] + TemplateSections.RESOURCES.value]['MyDB']['skipped_checks'] self.assertEqual(len(skipped_checks), 1) self.assertEqual(skipped_checks[0]['id'], 'CKV_AWS_16') self.assertEqual(skipped_checks[0]['suppress_comment'], diff --git a/tests/common/goget/test_goget_github.py b/tests/common/goget/test_goget_github.py new file mode 100644 index 0000000000..186e4bf771 --- /dev/null +++ b/tests/common/goget/test_goget_github.py @@ -0,0 +1,73 @@ +import os +import unittest + +from checkov.common.goget.github.get_git import GitGetter + + +class TestGitGetter(unittest.TestCase): + + def test_parse_source(self): + url = "https://my-git.com/repository-name/" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name/", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory(self): + url = "https://my-git.com/repository-name.git//sub/path" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name.git", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") + + def test_parse_source_and_subdirectory_without_git(self): + url = "https://my-git.com/repository-name//sub/path" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") + + def test_parse_source_with_query(self): + url = "https://my-git.com/repository-name?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory_with_query(self): + url = "https://my-git.com/repository-name//sub/path?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") + + def test_parse_source_without_scheme(self): + url = "my-git.com/repository-name" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory_without_scheme(self): + url = "my-git.com/repository-name//sub/path" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name", git_url, "Parsed source url should contain hostname ane path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") + + def test_parse_source_with_query_without_scheme(self): + url = "my-git.com/repository-name?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory_with_query_without_scheme(self): + url = "my-git.com/repository-name//sub/path?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") + +if __name__ == '__main__': + unittest.main() diff --git a/tests/common/integration_features/test_suppressions_integration.py b/tests/common/integration_features/test_suppressions_integration.py index 5ca95acd90..928fa9222b 100644 --- a/tests/common/integration_features/test_suppressions_integration.py +++ b/tests/common/integration_features/test_suppressions_integration.py @@ -73,6 +73,18 @@ def test_suppression_valid(self): self.assertTrue(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { + "suppressionType": "Accounts", + "policyId": "BC_AWS_1", + "creationDate": 1608816140086, + "comment": "No justification comment provided.", + "accountIds": [ + "bcorg_org/repo" + ] + } + + self.assertTrue(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { "suppressionType": "Resources", "policyId": "BC_AWS_1", @@ -122,6 +134,18 @@ def test_suppression_valid(self): self.assertFalse(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { + "suppressionType": "Accounts", + "policyId": "BC_AWS_1", + "creationDate": 1608816140086, + "comment": "No justification comment provided.", + "accountIds": [ + "bcorg_other/repo" + ] + } + + self.assertFalse(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { "suppressionType": "Tags", "policyId": "NOT_A_POLICY", @@ -206,6 +230,32 @@ def test_account_suppression(self): self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + def test_account_suppression_cli_repo(self): + instance = BcPlatformIntegration() + instance.repo_id = 'org/repo' + suppressions_integration = SuppressionsIntegration(instance) + suppression = { + "suppressionType": "Accounts", + "policyId": "BC_AWS_S3_13", + "comment": "testing checkov", + "accountIds": ["bcorg_org/repo", "bcorg_not/valid"], + "checkovPolicyId": "CKV_AWS_18", + } + + record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + + self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) + self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + def test_resource_suppression(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' @@ -246,6 +296,46 @@ def test_resource_suppression(self): self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) self.assertFalse(suppressions_integration._check_suppression(record3, suppression)) + def test_resource_suppression_cli_repo(self): + instance = BcPlatformIntegration() + instance.repo_id = 'org/repo' + suppressions_integration = SuppressionsIntegration(instance) + suppression = { + "suppressionType": "Resources", + "policyId": "BC_AWS_S3_13", + "comment": "No justification comment provided.", + "resources": [ + { + "accountId": "bcorg_org/repo", + "resourceId": "/terraform/aws/s3.tf:aws_s3_bucket.operations", + } + ], + "checkovPolicyId": "CKV_AWS_18", + } + + record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource='aws_s3_bucket.operations', evaluations=None, + check_class=None, file_abs_path=',.', entity_tags=None) + record1.repo_file_path = '/terraform/aws/s3.tf' + record2 = Record(check_id='CKV_AWS_13', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource='aws_s3_bucket.no', evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2.repo_file_path = '/terraform/aws/s3.tf' + record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource='aws_s3_bucket.operations', evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record3.repo_file_path = '/terraform/aws/s3.tf' + + self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) + self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + self.assertFalse(suppressions_integration._check_suppression(record3, suppression)) + def test_tag_suppression(self): instance = BcPlatformIntegration() suppressions_integration = SuppressionsIntegration(instance) diff --git a/tests/terraform/checks/resource/aws/example_CodeBuildProjectEncryption/main.tf b/tests/terraform/checks/resource/aws/example_CodeBuildProjectEncryption/main.tf new file mode 100644 index 0000000000..760dfbf558 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_CodeBuildProjectEncryption/main.tf @@ -0,0 +1,31 @@ +resource "aws_codebuild_project" "fail" { + name = "fail-project" + artifacts { + type = S3 + encryption_disabled = true + } + +} + +resource "aws_codebuild_project" "no_artifacts_encryption_ignored" { + name = "no-art-project" + artifacts { + type = "NO_ARTIFACTS" + encryption_disabled = true + } +} + +resource "aws_codebuild_project" "success_no_encryption_disabled" { + name = "default-project" + artifacts { + type = "S3" + } +} + +resource "aws_codebuild_project" "success" { + name = "success-project" + artifacts { + type = "S3" + encryption_disabled = false + } +} diff --git a/tests/terraform/checks/resource/aws/example_QLDBLedgerDeletionProtection/main.tf b/tests/terraform/checks/resource/aws/example_QLDBLedgerDeletionProtection/main.tf new file mode 100644 index 0000000000..7a172c21d4 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_QLDBLedgerDeletionProtection/main.tf @@ -0,0 +1,22 @@ +# pass + +resource "aws_qldb_ledger" "default" { + name = "ledger" + permissions_mode = "STANDARD" +} + +resource "aws_qldb_ledger" "enabled" { + name = "ledger" + permissions_mode = "STANDARD" + + deletion_protection = true +} + +# failure + +resource "aws_qldb_ledger" "disabled" { + name = "ledger" + permissions_mode = "STANDARD" + + deletion_protection = false +} diff --git a/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py b/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py index 02febbbca1..dd7237f7f5 100644 --- a/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py +++ b/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py @@ -5,7 +5,7 @@ from checkov.common.models.enums import CheckResult -class TestRDSClusterEncrypted(unittest.TestCase): +class TestCodeBuildEncrypted(unittest.TestCase): def test_failure(self): hcl_res = hcl2.loads(""" resource "aws_codebuild_project" "example" { diff --git a/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py b/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py index a39d480939..dc91e79a41 100644 --- a/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py +++ b/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py @@ -1,62 +1,39 @@ +import os import unittest -from checkov.common.models.enums import CheckResult +from checkov.runner_filter import RunnerFilter from checkov.terraform.checks.resource.aws.CodeBuildProjectEncryption import check +from checkov.terraform.runner import Runner class TestCodeBuildProjectEncryption(unittest.TestCase): + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) - def test_failure(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "S3", - "encryption_disabled": True, - } - ], - } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.FAILED, scan_result) - - def test_success_type_no_artifacts_encryption_ignored(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "NO_ARTIFACTS", - "encryption_disabled": True, - } - ], - } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) - - def test_success_no_encryption_disabled(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "S3", - } - ], + test_files_dir = current_dir + "/example_CodeBuildProjectEncryption" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "aws_codebuild_project.success_no_encryption_disabled", + "aws_codebuild_project.success" } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) - - def test_success(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "S3", - "encryption_disabled": False, - } - ], + failing_resources = { + "aws_codebuild_project.fail", } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) -if __name__ == '__main__': +if __name__ == "__main__": unittest.main() diff --git a/tests/terraform/checks/resource/aws/test_QLDBLedgerDeletionProtection.py b/tests/terraform/checks/resource/aws/test_QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..ed9cd67361 --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_QLDBLedgerDeletionProtection.py @@ -0,0 +1,37 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.aws.QLDBLedgerDeletionProtection import check +from checkov.terraform.runner import Runner + + +class TestQLDBLedgerDeletionProtection(unittest.TestCase): + def test(self): + test_files_dir = Path(__file__).parent / "example_QLDBLedgerDeletionProtection" + + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "aws_qldb_ledger.default", + "aws_qldb_ledger.enabled", + } + failing_resources = { + "aws_qldb_ledger.disabled", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterProtectionLevel.py b/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterProtectionLevel.py new file mode 100644 index 0000000000..87d86308e2 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterProtectionLevel.py @@ -0,0 +1,105 @@ +import unittest + +import hcl2 + +from checkov.terraform.checks.resource.azure.AzureServiceFabricClusterProtectionLevel import check +from checkov.common.models.enums import CheckResult + + +class TestAzureServiceFabricClusterProtectionLevel(unittest.TestCase): + def test_passing(self): + hcl_res = hcl2.loads(""" + resource "azurerm_service_fabric_cluster" "example" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + fabric_settings { + name = "Security" + parameters = { + name = "ClusterProtectionLevel" + value = "EncryptAndSign" + } + } + + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } +} + """) + resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.PASSED, scan_result) + + def test_missing(self): + hcl_res = hcl2.loads(""" + resource "azurerm_service_fabric_cluster" "example" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } + } + """) + resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.FAILED, scan_result) + + def test_wrong(self): + def test_passing(self): + hcl_res = hcl2.loads(""" + resource "azurerm_service_fabric_cluster" "example" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + fabric_settings { + name = "Security" + parameters = { + name = "ClusterProtectionLevel" + value = "Sign" + } + } + + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } + } + """) + resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.FAILED, scan_result) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterUseADAuth.py b/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterUseADAuth.py deleted file mode 100644 index 025e736f09..0000000000 --- a/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterUseADAuth.py +++ /dev/null @@ -1,69 +0,0 @@ -import unittest - -import hcl2 - -from checkov.terraform.checks.resource.azure.AzureServiceFabricClusterUseADAuth import check -from checkov.common.models.enums import CheckResult - - -class TestAzureServiceFabricClusterUseADAuth(unittest.TestCase): - - def test_failure(self): - hcl_res = hcl2.loads(""" - resource "azurerm_service_fabric_cluster" "example" { - name = "example-servicefabric" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - reliability_level = "Bronze" - upgrade_mode = "Manual" - cluster_code_version = "7.1.456.959" - vm_image = "Windows" - management_endpoint = "https://example:80" - - node_type { - name = "first" - instance_count = 3 - is_primary = true - client_endpoint_port = 2020 - http_endpoint_port = 80 - } - } - """) - resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.FAILED, scan_result) - - def test_success(self): - hcl_res = hcl2.loads(""" - resource "azurerm_service_fabric_cluster" "example" { - name = "example-servicefabric" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - reliability_level = "Bronze" - upgrade_mode = "Manual" - cluster_code_version = "7.1.456.959" - vm_image = "Windows" - management_endpoint = "https://example:80" - - azure_active_directory { - tenant_id = "4545" - cluster_application_id = "87878" - client_application_id = "9090" - } - - node_type { - name = "first" - instance_count = 3 - is_primary = true - client_endpoint_port = 2020 - http_endpoint_port = 80 - } - } - """) - resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) - - -if __name__ == '__main__': - unittest.main() diff --git a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml index b77c998bc1..ea62381221 100644 --- a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml +++ b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml @@ -1,7 +1,8 @@ pass: - "aws_db_instance.pass" + + fail: - "aws_db_instance.fail" - - "aws_db_instance.fail2" - "aws_db_instance.fail3" - "aws_db_instance.fail4" diff --git a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf index 31a71dff2c..648108c7bf 100644 --- a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf +++ b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf @@ -19,16 +19,22 @@ resource "aws_db_instance" "fail4" { parameter_group_name = aws_rds_cluster_parameter_group.fail2.id } - //no parameter_group_name set resource "aws_db_instance" "fail" { + engine = "postgres" + instance_class = "db.t3.micro" + name = "mydb" +} + +//not postgres +resource "aws_db_instance" "ignore" { engine = "mysql" instance_class = "db.t3.micro" name = "mydb" } // no postgres -resource "aws_db_instance" "fail2" { +resource "aws_db_instance" "ignore2" { allocated_storage = 10 engine = "mysql" engine_version = "5.7" @@ -58,7 +64,7 @@ resource "aws_rds_cluster_parameter_group" "fail" { } provider "aws" { -region="eu-west-2" + region="eu-west-2" } //will be correct params @@ -87,4 +93,36 @@ resource "aws_rds_cluster_parameter_group" "fail2" { name = "log_statement" value = "all" } -} \ No newline at end of file +} + +resource "aws_db_instance" "ignore3" { + identifier = "xxx-our-unique-id" + allocated_storage = 1000 + storage_type = "gp2" + copy_tags_to_snapshot = true + engine = "sqlserver-se" + engine_version = "15.00.4043.16.v1" + license_model = "license-included" + instance_class = "db.r5.4xlarge" + name = "" + username = "sa" + password = var.password + port = 1433 + publicly_accessible = false + security_group_names = [] + vpc_security_group_ids = ["sg-xxxxx"] + db_subnet_group_name = "dbsubnet" + performance_insights_enabled = true + option_group_name = "sql-std-2019" + deletion_protection = true + max_allocated_storage = 1500 + parameter_group_name = "sql-server-2019-std" + character_set_name = "SQL_Latin1_General_CP1_CS_AS" + # checkov:skip=CKV_AWS_157:Web db, acceptable risk until Resize + multi_az = false + backup_retention_period = 35 + enabled_cloudwatch_logs_exports = ["agent","error"] + backup_window = "11:17-11:47" + maintenance_window = "sat:07:13-sat:08:43" + final_snapshot_identifier = "xxx-unique-name-final" +} diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml index a128072d73..4daa68a72b 100644 --- a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml +++ b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml @@ -1,6 +1,7 @@ pass: - "aws_security_group.pass_alb" - "aws_security_group.pass_batch" + - "aws_security_group.pass_cloudwatch_event" - "aws_security_group.pass_codebuild" - "aws_security_group.pass_dms" - "aws_security_group.pass_docdb" @@ -29,4 +30,4 @@ pass: - "aws_security_group.pass_sagemaker" - "aws_security_group.pass_vpc_endpoint" fail: - - "aws_security_group.fail" \ No newline at end of file + - "aws_security_group.fail" diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf index cd216c7901..003e5ea72a 100644 --- a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf +++ b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf @@ -599,4 +599,39 @@ resource "aws_security_group" "pass_emr" { protocol = "-1" cidr_blocks = ["10.0.0.0/16"] } -} \ No newline at end of file +} + +resource "aws_cloudwatch_event_target" "pass_cloudwatch_event" { + target_id = var.target_id + arn = var.arn + rule = var.rule + role_arn = var.role_arn + + ecs_target { + launch_type = var.launch_type + task_count = var.task_count + task_definition_arn = var.task_definition_arn + + network_configuration { + subnets = [var.subnet_id] + security_groups = [aws_security_group.pass_cloudwatch_event.id] + assign_public_ip = false + } + } + + input = <